https://www.owasp.org/api.php?action=feedcontributions&user=Sapao&feedformat=atomOWASP - User contributions [en]2015-08-02T18:30:55ZUser contributionsMediaWiki 1.23.8https://www.owasp.org/index.php/User:SapaoUser:Sapao2014-09-15T21:21:17Z<p>Sapao: /* Involvement in OWASP */</p>
<hr />
<div>=Lucas C. Ferreira=<br />
<br />
==Involvement in OWASP==<br />
Past &quot;titles&quot;:<br />
* [[Global Conferences Committee]] member<br />
* [[Brasilia]], DF, Brazil chapter leader<br />
* [[OWASP Portuguese Language Project]] co-leader<br />
* OWASP [[AppSec Brasil 2009]] General Chair<br />
* OWASP [[AppSec Brasil 2010]] General Chair<br />
* OWASP [[AppSecLatam2011]] Program committee Chair<br />
<br />
==How I got involved in OWASP==<br />
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a &quot;Secure Programming in Java&quot; training in Portuguese and was working with some friends to organize training sessions in Brazil.<br />
<br />
At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.<br />
<br />
During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.<br />
<br />
After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:<br />
<br />
* OWASP [[Brasilia]] Chapter<br />
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation<br />
* Developing OWASP [[WebGoat]]-based trainings<br />
<br />
Although I gave up all my &quot;titles&quot; at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.<br />
<br />
==About me==<br />
<br />
I don't like talking about me. Google it.<br />
<br />
==Why Sapão==<br />
This a long story. To make it short: it is my long time nickname (since my teen years).<br />
<br />
I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.</div>Sapaohttps://www.owasp.org/index.php/User:SapaoUser:Sapao2012-10-22T17:50:05Z<p>Sapao: /* Involvement in OWASP */</p>
<hr />
<div>=Lucas C. Ferreira=<br />
<br />
==Involvement in OWASP==<br />
Past &quot;titles&quot;:<br />
* [[Global Conferences Committee]] member<br />
* [[Brasilia]], DF, Brazil chapter leader<br />
* [[OWASP Portuguese Language Project]] co-leader<br />
* OWASP [[AppSec Brasil 2009]] General Chair<br />
* OWASP [[AppSec Brasil 2010]] General Chair<br />
<br />
==How I got involved in OWASP==<br />
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a &quot;Secure Programming in Java&quot; training in Portuguese and was working with some friends to organize training sessions in Brazil.<br />
<br />
At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.<br />
<br />
During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.<br />
<br />
After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:<br />
<br />
* OWASP [[Brasilia]] Chapter<br />
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation<br />
* Developing OWASP [[WebGoat]]-based trainings<br />
<br />
Although I gave up all my &quot;titles&quot; at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.<br />
<br />
==About me==<br />
<br />
I don't like talking about me. Google it.<br />
<br />
==Why Sapão==<br />
This a long story. To make it short: it is my long time nickname (since my teen years).<br />
<br />
I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.</div>Sapaohttps://www.owasp.org/index.php/User:SapaoUser:Sapao2012-10-22T17:49:49Z<p>Sapao: /* Involvement in OWASP */</p>
<hr />
<div>=Lucas C. Ferreira=<br />
<br />
==Involvement in OWASP==<br />
Past &quot;titles&quot;:<br />
* [[Global Conferences Committee]] member<br />
* [[Brasilia]], DF, Brazil chapter leader<br />
* [[OWASP Portuguese Language Project]] leader<br />
* OWASP [[AppSec Brasil 2009]] General Chair<br />
* OWASP [[AppSec Brasil 2010]] General Chair<br />
<br />
==How I got involved in OWASP==<br />
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a &quot;Secure Programming in Java&quot; training in Portuguese and was working with some friends to organize training sessions in Brazil.<br />
<br />
At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.<br />
<br />
During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.<br />
<br />
After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:<br />
<br />
* OWASP [[Brasilia]] Chapter<br />
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation<br />
* Developing OWASP [[WebGoat]]-based trainings<br />
<br />
Although I gave up all my &quot;titles&quot; at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.<br />
<br />
==About me==<br />
<br />
I don't like talking about me. Google it.<br />
<br />
==Why Sapão==<br />
This a long story. To make it short: it is my long time nickname (since my teen years).<br />
<br />
I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.</div>Sapaohttps://www.owasp.org/index.php/User:SapaoUser:Sapao2012-10-22T17:41:09Z<p>Sapao: /* How I got involved in OWASP */</p>
<hr />
<div>=Lucas C. Ferreira=<br />
<br />
==Involvement in OWASP==<br />
Current activities:<br />
* [[Global Conferences Committee]] member<br />
* [[Brasilia]], DF, Brazil chapter leader<br />
* [[OWASP Portuguese Language Project]] leader<br />
<br />
Past activities:<br />
* OWASP [[AppSec Brasil 2009]] General Chair<br />
* OWASP [[AppSec Brasil 2010]] General Chair<br />
<br />
==How I got involved in OWASP==<br />
In 2008, OWASP was organizing the EU Summit in Portugal and issued a Call for Training Providers, seeking trainings to be delivered at the Summit. I had recently finished preparing a &quot;Secure Programming in Java&quot; training in Portuguese and was working with some friends to organize training sessions in Brazil.<br />
<br />
At this time, Eduardo Neves, which was helping with the Summit's Call for Trainings, gave me the idea to send a proposal based on the Portuguese materials I had. I accepted, translated some materials to English and submitted. The proposal was accepted and I got authorization from my employer to go to the Summit. In the end, all tranings scheduled for the Summit were turned into 2-hour talks.<br />
<br />
During the time between my proposal being accepted and the Summit, I started helping the Summit organizers in small tasks, such as translations and trying to spread the word about OWASP and the Summit. At the Summit, I met several OWASP leaders, specially Dinis Cruz and Paulo Coimbra. I also met several Brazilians and we agreed that we needed an OWASP Conference in Brazil. After returning home, we started talking about it in our mailing list and managed to make it happen in 2009. I was able to convince my bosses to host the first OWASP AppSec in Brasil and got full support. This way, I became the OWASP AppSec Brasil 2009 General Chair.<br />
<br />
After the 2009 Conference, we started planning the next one. Again, I became the conference General Chair. After two years of intense work to make the conferences happen, I decided I needed some rest and time to dedicate to other projects. I want to dedicate myself to other OWASP related projects:<br />
<br />
* OWASP [[Brasilia]] Chapter<br />
* OWASP [[Software_Assurance_Maturity_Model]] Portuguese translation<br />
* Developing OWASP [[WebGoat]]-based trainings<br />
<br />
Although I gave up all my &quot;titles&quot; at OWASP (as chapter or project leader or committee member), I still want to be involved as a contributor to projects and chapters and paid member.<br />
<br />
==About me==<br />
<br />
I don't like talking about me. Google it.<br />
<br />
==Why Sapão==<br />
This a long story. To make it short: it is my long time nickname (since my teen years).<br />
<br />
I was nicknamed after '''Toad''', a character from the [[http://en.wikipedia.org/wiki/Drak_Pack Drak Pack]] Series. Toad's name in Brazil was Sapão.</div>Sapaohttps://www.owasp.org/index.php/Projects_Reboot_2012Projects Reboot 20122012-06-18T14:03:09Z<p>Sapao: </p>
<hr />
<div><br />
<br />
'''Welcome the the OWASP Project Reboot Page:<br />
'''<br />
<br />
''What is the OWASP Project ReBoot initiative?''<br />
<br />
OWASP needs to refresh, revitalize &amp; update its projects. We need to make the software development community more aware of our efforts and demonstrate the foundations library of solutions &amp; guidance designed to help with the secure application development lifecycle.<br />
<br />
The proposal for this initiative is here:<br />
<br />
'''[https://docs.google.com/a/owasp.org/file/d/0B5Z9zE0hx0LNSUZvOWVKd1JRWnlVaGJMcjB3SEN3Zw/edit Project Re-Boot Proposal]'''<br />
<br />
'''Project Lead''': Eoin Keary &lt;br&gt;<br />
'''Proposal Approval Team''': Jim Manico, Rahim Jina, Tom Brennan,...&lt;br&gt;<br />
<br />
Board Approval can be seen here:<br />
[https://www.owasp.org/index.php/May_14,2012]<br />
<br />
To that end we have a budget to fund various project related activities. We hope putting some financial support behind projects will re-energise our community and hopefully deliver some great high quality material which can be used to support software developers and testers for years to come:&lt;br&gt;&lt;br&gt;<br />
<br />
'''Current Submissions''' &lt;br&gt;<br />
'''[[OWASP Application Security Guide For CISOs]]''' &lt;br&gt;<br />
'''[[OWASP Development Guide]]'''&lt;br&gt; <br />
'''[[OWASP Zed Attack Proxy Reboot2012|Zed Attack Proxy]]''' &lt;br&gt;<br />
'''[[OWASP WebGoat Reboot2012|OWASP WebGoat]]''' &lt;br&gt;<br />
'''[[OWASP Cheat Sheets]]'''&lt;br&gt;<br />
'''[[OWASP AppSensor]]'''&lt;br&gt;<br />
'''[[OWASP Mobile Project]]'''&lt;br&gt;<br />
'''[[Projects_Reboot_2012/OWASP_Portuguese_Project_Proposal]]'''&lt;br&gt;<br />
&lt;br&gt;<br />
<br />
<br />
'''Key Dates:'''&lt;br&gt;<br />
'''Submission closing date''': July 30th 2012 &lt;br&gt;<br />
'''First round of proposal selection''': 15 June 2012&lt;br&gt;<br />
'''Second round of proposal selection''': 10 Aug 2012&lt;br&gt;<br />
<br />
<br />
'''Activity types''':&lt;br&gt;<br />
<br />
'''Type 1''': Update, rewrite &amp; complete guides or tools.&lt;br&gt;<br />
This &quot;type&quot; is aimed at both existing and new tools or guides which require development effort to update, augment, rewrite, develop in order to achieve a high quality release quality product.&lt;br&gt;&lt;br&gt;<br />
<br />
Examples:&lt;br&gt;<br />
#&quot;Mini&quot; Project based summits: Expenses associated with getting global workshops, with the aim of releasing a new version of a project.&lt;br&gt;<br />
#Paying contributors for their time and effort.&lt;br&gt;<br />
#Paying for user guides etc to be professionally developed (technical writing etc).&lt;br&gt;&lt;br&gt;<br />
<br />
'''Type 2''': Market, Training, Awareness, increase adoption.&lt;br&gt;<br />
Existing, healthy robust tools and guides can utilise Type 2 activities to help with creating awareness and increasing adoption of that project.&lt;br&gt;<br />
<br />
Examples:&lt;br&gt;<br />
#Assisting with expenses associated with marketing a project.&lt;br&gt;<br />
#Costs facilitating OWASP project focused training and awareness events&lt;br&gt;<br />
<br />
<br />
'''How are we going to fund this??'''&lt;br&gt;<br />
We are requesting all OWASP chapters which are in a healthy financial position to pledge 25% of their chapters funds to pay for this initiative.&lt;br&gt;<br />
[https://www.surveymonkey.com/s/OWASP-REBOOT Pledge some chapter funds here]<br />
<br />
Donate $1.00 to help save a current or future software application [http://www.firstgiving.com/fundraiser/projectreboot/owasp-project-reboot Click Here]<br />
<br />
The Foundation shall also support this initiative with additional funding.&lt;br&gt;<br />
The goal is to accumulate a budget of $100K which shall be appointed to projects undergoing this reboot.&lt;br&gt;<br />
<br />
[https://docs.google.com/a/owasp.org/spreadsheet/pub?hl=en_US&amp;hl=en_US&amp;key=0Atu4kyR3ljftdEdQWTczbUxoMUFnWmlTODZ2ZFZvaXc&amp;output=html - Chapter Funds]<br />
<br />
'''Can I apply for this Reboot?'''&lt;br&gt;<br />
You certainly can, assuming you are an OWASP member.&lt;br&gt;<br />
If you feel your project is ready or has potential you can apply for the reboot programme.&lt;br&gt;<br />
<br />
<br />
'''How does funding work?'''&lt;br&gt;&lt;br&gt;<br />
'''Type 1''': Funding can be applied for as required if travel/mini summit etc is to be expensed as part of the reboot. Development activities; payment to contributors shall be at 50% and 100% milestones.&lt;br&gt;<br />
Milestones are agreed prior to project reboot initiation.&lt;br&gt;<br />
Once the 50% milestone is reached the work done to date shall be reviewed by a member of the [https://www.owasp.org/index.php/Category:Global_Projects_Committee - GPC] and also another nominated OWASP reviewer (generally an OWASP leader).&lt;br&gt;<br />
<br />
'''Type 2''': Funding is supplied as required. Items to be funded are agreed prior to reboot initiation.&lt;br&gt;<br />
Invoices for the required services are sent directly to the foundation for payment.<br />
<br />
<br />
'''How do I apply?'''<br />
Send in a proposal with the following information:<br />
<br />
# Project name and description. Including reboot project lead and any team members.<br />
# Re boot type (Type 1 or Type 2)<br />
# Goals of the reboot<br />
# Timeline for the 50% milestone and the 100% milestone. Suggested milestone reviewers (Generally OWASP Leaders or other industry experts)<br />
# Budget required and how you shall spend it.<br />
<br />
Want to support this initiative or learn more? Contact [mailto:eoin.keary@owasp.org Eoin Keary]</div>Sapaohttps://www.owasp.org/index.php/Projects_Reboot_2012/OWASP_Portuguese_Project_ProposalProjects Reboot 2012/OWASP Portuguese Project Proposal2012-06-18T14:02:28Z<p>Sapao: Created page with &quot;=Project Reboot Submission for OWASP Portuguese Language Project= '''Project Name:''' OWASP Portuguese Language Project '''Description:''' This project aims to coordinate an...&quot;</p>
<hr />
<div>=Project Reboot Submission for OWASP Portuguese Language Project=<br />
<br />
'''Project Name:''' OWASP Portuguese Language Project<br />
<br />
'''Description:''' This project aims to coordinate and push foward the iniciatives developed to translate OWASP materials to Portuguese.<br />
<br />
'''Link:''' https://www.owasp.org/index.php/OWASP_Portuguese_Language_Project<br />
<br />
'''Reboot Project Lead:''' Márcio Machry<br />
<br />
'''Team Members:''' Lucas Ferreira, Carlos Serrão, Magno Logan, Leandro Gomes, Tarcizio Vieira<br />
<br />
'''Reboot type:''' Type 2<br />
<br />
'''Goals of the reboot:'''<br />
Promote the project to obtain volunteers to help in the translations; translate with quality the main OWASP documents and publicize them in all Portuguese Language countries; standardization of the translations in Brazil or Portugal languages<br />
<br />
'''50% milestone:''' December 2012, conclude ASVS and Top Ten translations; identify another priority documents to translate; marketing of the project in OWASP Conferences around Brazil<br />
<br />
'''100% milestone:''' December 2013, conclude OpenSAMM and CLASP translations; create teams with coordinators to translate new documents<br />
<br />
'''Suggested milestone reviewers:''' OWASP Brazilian Chapters Leaders<br />
<br />
Budget required:<br />
* USD 2,000 – expenses with translation reviewers and experts, layout and printing of the documents<br />
* USD 3,000 – promote awareness events, project marketing, present the project at OWASP conferences in Brazil<br />
* Estimated Total – USD 5,000</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2012-04-17T19:41:32Z<p>Sapao: /* If the database is free, where can I get it? */</p>
<hr />
<div>=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
== If the database is free, where can I get it? ==<br />
<br />
The database is big and difficult to make available for download. We have however an Amazon AWS snapshot of the database disk. The snapshot ID is snap-5aacdd27 and its name is FHRDatabase.<br />
<br />
To find the snapshot, log in the AWS console, select the EC2 tab, and select Elastic Block Store -&gt; snapshops on the left pane. Select All snapshots on the Viewing dropbox and search for the ID or name.<br />
<br />
The snapshot contains a Linux disk with the MySQL Database files. Mount it into your own instance and you will have access to all the files.<br />
<br />
=Roadmap=<br />
<br />
[[Projects/OWASP_File_Hash_Repository/Roadmap]]<br />
<br />
=Documentation=<br />
<br />
==Database schema==<br />
<br />
The FHR database contains a single table, called File, described below:<br />
<br />
&lt;pre&gt;<br />
mysql&gt; show columns from File in FHR;<br />
+-----------+------------+------+-----+---------+----------------+<br />
| Field | Type | Null | Key | Default | Extra |<br />
+-----------+------------+------+-----+---------+----------------+<br />
| idFile | int(11) | NO | PRI | NULL | auto_increment |<br />
| SHA1 | char(40) | YES | MUL | NULL | |<br />
| MD5 | char(32) | YES | MUL | NULL | |<br />
| size | mediumtext | YES | | NULL | |<br />
| source | char(10) | YES | | NULL | |<br />
| date | date | YES | | NULL | |<br />
| status | char(10) | NO | | NULL | |<br />
| certainty | float | YES | | NULL | |<br />
+-----------+------------+------+-----+---------+----------------+<br />
8 rows in set (0.00 sec)<br />
&lt;/pre&gt;<br />
<br />
==Server Implementation Details==<br />
<br />
The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library. <br />
<br />
===EagleDNS extensions===<br />
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.<br />
<br />
At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.<br />
<br />
So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.<br />
<br />
The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]<br />
<br />
===The FHRZoneProvider rationale===<br />
TODO.<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2012-04-17T19:39:53Z<p>Sapao: /* Testing the system */</p>
<hr />
<div>=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
== If the database is free, where can I get it? ==<br />
<br />
The database is big and difficult to make available for download. We have however an Amazon AWS snapshot of the database disk. The snapshot ID is snap-5aacdd27 and its name is FHRDatabase.<br />
<br />
To find the snapshot, log in the AWS console, select the EC2 tab, and select Elastic Block Store -&gt; snapshops on the left pane. Select All snapshots on the Viewing dropbox and search for the ID or name.<br />
<br />
=Roadmap=<br />
<br />
[[Projects/OWASP_File_Hash_Repository/Roadmap]]<br />
<br />
=Documentation=<br />
<br />
==Database schema==<br />
<br />
The FHR database contains a single table, called File, described below:<br />
<br />
&lt;pre&gt;<br />
mysql&gt; show columns from File in FHR;<br />
+-----------+------------+------+-----+---------+----------------+<br />
| Field | Type | Null | Key | Default | Extra |<br />
+-----------+------------+------+-----+---------+----------------+<br />
| idFile | int(11) | NO | PRI | NULL | auto_increment |<br />
| SHA1 | char(40) | YES | MUL | NULL | |<br />
| MD5 | char(32) | YES | MUL | NULL | |<br />
| size | mediumtext | YES | | NULL | |<br />
| source | char(10) | YES | | NULL | |<br />
| date | date | YES | | NULL | |<br />
| status | char(10) | NO | | NULL | |<br />
| certainty | float | YES | | NULL | |<br />
+-----------+------------+------+-----+---------+----------------+<br />
8 rows in set (0.00 sec)<br />
&lt;/pre&gt;<br />
<br />
==Server Implementation Details==<br />
<br />
The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library. <br />
<br />
===EagleDNS extensions===<br />
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.<br />
<br />
At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.<br />
<br />
So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.<br />
<br />
The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]<br />
<br />
===The FHRZoneProvider rationale===<br />
TODO.<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2012-04-17T19:34:21Z<p>Sapao: /* Testing the system */</p>
<hr />
<div>=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
=Roadmap=<br />
<br />
[[Projects/OWASP_File_Hash_Repository/Roadmap]]<br />
<br />
=Documentation=<br />
<br />
==Database schema==<br />
<br />
The FHR database contains a single table, called File, described below:<br />
<br />
&lt;pre&gt;<br />
mysql&gt; show columns from File in FHR;<br />
+-----------+------------+------+-----+---------+----------------+<br />
| Field | Type | Null | Key | Default | Extra |<br />
+-----------+------------+------+-----+---------+----------------+<br />
| idFile | int(11) | NO | PRI | NULL | auto_increment |<br />
| SHA1 | char(40) | YES | MUL | NULL | |<br />
| MD5 | char(32) | YES | MUL | NULL | |<br />
| size | mediumtext | YES | | NULL | |<br />
| source | char(10) | YES | | NULL | |<br />
| date | date | YES | | NULL | |<br />
| status | char(10) | NO | | NULL | |<br />
| certainty | float | YES | | NULL | |<br />
+-----------+------------+------+-----+---------+----------------+<br />
8 rows in set (0.00 sec)<br />
&lt;/pre&gt;<br />
<br />
==Server Implementation Details==<br />
<br />
The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library. <br />
<br />
===EagleDNS extensions===<br />
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.<br />
<br />
At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.<br />
<br />
So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.<br />
<br />
The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]<br />
<br />
===The FHRZoneProvider rationale===<br />
TODO.<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2012-04-17T19:30:16Z<p>Sapao: </p>
<hr />
<div>=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
====Roadmap====<br />
<br />
[[Projects/OWASP_File_Hash_Repository/Roadmap]]<br />
<br />
====Documentation====<br />
<br />
==Database schema==<br />
<br />
The FHR database contains a single table, called File, described below:<br />
<br />
&lt;pre&gt;<br />
mysql&gt; show columns from File in FHR;<br />
+-----------+------------+------+-----+---------+----------------+<br />
| Field | Type | Null | Key | Default | Extra |<br />
+-----------+------------+------+-----+---------+----------------+<br />
| idFile | int(11) | NO | PRI | NULL | auto_increment |<br />
| SHA1 | char(40) | YES | MUL | NULL | |<br />
| MD5 | char(32) | YES | MUL | NULL | |<br />
| size | mediumtext | YES | | NULL | |<br />
| source | char(10) | YES | | NULL | |<br />
| date | date | YES | | NULL | |<br />
| status | char(10) | NO | | NULL | |<br />
| certainty | float | YES | | NULL | |<br />
+-----------+------------+------+-----+---------+----------------+<br />
8 rows in set (0.00 sec)<br />
&lt;/pre&gt;<br />
<br />
==Server Implementation Details==<br />
<br />
The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library. <br />
<br />
===EagleDNS extensions===<br />
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.<br />
<br />
At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.<br />
<br />
So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.<br />
<br />
The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]<br />
<br />
===The FHRZoneProvider rationale===<br />
TODO.<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Portuguese_Language_ProjectOWASP Portuguese Language Project2012-04-09T22:08:50Z<p>Sapao: /* SAMM */</p>
<hr />
<div>{{Social Media Links}}<br />
&lt;paypal&gt;OWASP Portuguese Language Project&lt;/paypal&gt;<br />
<br />
= Home =<br />
<br />
==Projeto OWASP em Língua Portuguesa==<br />
<br />
O objetivo desse projeto é coordenar os esforços de tradução e produção de documentos em língua portuguesa no âmbito do OWASP. Desta forma, é possível facilitar a participação e evitar duplicações de esforços na tradução dos mesmos documentos.<br />
<br />
&lt;br&gt;<br />
<br />
{| width=&quot;100%&quot;<br />
|-<br />
! width=&quot;50%&quot; | <br />
! width=&quot;50%&quot; | <br />
|- valign=&quot;top&quot;<br />
| <br />
== Quer ajudar? ==<br />
<br />
[[Image:Asvs-waiting.JPG]]<br />
<br />
# Inscreva-se na lista de emails do projeto<br />
# Verifique na próxima aba a lista de traduções em andamento<br />
# Escolha uma tradução (em andamento ou nova) e envie email para a lista contendo:<br />
## seu nome<br />
## tradução escolhida<br />
# Caso seja uma nova tradução, informe também se gostaria de ter a ajuda de outros voluntários<br />
# Mantenha a lista informada do andamento do seu esforço<br />
<br />
|<br />
== Resultados ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''Documentos disponíveis''' <br />
<br />
* [[OWASP Brasil Manifesto]]<br />
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])<br />
<br />
|}<br />
<br />
<br />
=Esforcos em andamento=<br />
<br />
==CLASP==<br />
==Top Ten==<br />
==Top Ten for Java EE==<br />
==SAMM==<br />
<br />
Precisa de voluntários para tradução e revisão.<br />
<br />
==ASVS==<br />
<br />
Precisa de voluntários para revisão e formatação do documento final.<br />
<br />
=Summit 2011=<br />
<br />
== Decisoes da Sessao de Trabalho ocorrida no OWASP Summit 2011 ==<br />
<br />
=== Uniformização ===<br />
<br />
será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas. <br />
<br />
=== Definição de prioridades ===<br />
<br />
dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução: <br />
<br />
*Top 10 <br />
*OpenSAMM (já existe uma tradução parcial) <br />
*Apresentações sobre o que é e como funciona o OWASP<br />
<br />
Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão: <br />
<br />
*OWASP Quick Reference <br />
*ASVS<br />
<br />
=== Coordenação ===<br />
<br />
o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho: <br />
<br />
*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário. <br />
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.<br />
<br />
=== Processo ===<br />
<br />
O macroprocesso de tradução ficou definido como: <br />
<br />
#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc. <br />
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki <br />
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados <br />
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário <br />
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor <br />
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso.&lt;br&gt;<br />
<br />
<br />
=Project About=<br />
<br />
{{:Projects/OWASP Portuguese Language Project | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; &lt;BR&gt;<br />
<br />
[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Portuguese_Language_ProjectOWASP Portuguese Language Project2012-04-09T16:28:48Z<p>Sapao: </p>
<hr />
<div>{{Social Media Links}}<br />
&lt;paypal&gt;OWASP Portuguese Language Project&lt;/paypal&gt;<br />
<br />
= Home =<br />
<br />
==Projeto OWASP em Língua Portuguesa==<br />
<br />
O objetivo desse projeto é coordenar os esforços de tradução e produção de documentos em língua portuguesa no âmbito do OWASP. Desta forma, é possível facilitar a participação e evitar duplicações de esforços na tradução dos mesmos documentos.<br />
<br />
&lt;br&gt;<br />
<br />
{| width=&quot;100%&quot;<br />
|-<br />
! width=&quot;50%&quot; | <br />
! width=&quot;50%&quot; | <br />
|- valign=&quot;top&quot;<br />
| <br />
== Quer ajudar? ==<br />
<br />
[[Image:Asvs-waiting.JPG]]<br />
<br />
# Inscreva-se na lista de emails do projeto<br />
# Verifique na próxima aba a lista de traduções em andamento<br />
# Escolha uma tradução (em andamento ou nova) e envie email para a lista contendo:<br />
## seu nome<br />
## tradução escolhida<br />
# Caso seja uma nova tradução, informe também se gostaria de ter a ajuda de outros voluntários<br />
# Mantenha a lista informada do andamento do seu esforço<br />
<br />
|<br />
== Resultados ==<br />
<br />
[[Image:Asvs-satellite.jpg]]'''Documentos disponíveis''' <br />
<br />
* [[OWASP Brasil Manifesto]]<br />
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])<br />
<br />
|}<br />
<br />
<br />
=Esforcos em andamento=<br />
<br />
==CLASP==<br />
==Top Ten==<br />
==Top Ten for Java EE==<br />
==SAMM==<br />
<br />
=Summit 2011=<br />
<br />
== Decisoes da Sessao de Trabalho ocorrida no OWASP Summit 2011 ==<br />
<br />
=== Uniformização ===<br />
<br />
será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas. <br />
<br />
=== Definição de prioridades ===<br />
<br />
dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução: <br />
<br />
*Top 10 <br />
*OpenSAMM (já existe uma tradução parcial) <br />
*Apresentações sobre o que é e como funciona o OWASP<br />
<br />
Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão: <br />
<br />
*OWASP Quick Reference <br />
*ASVS<br />
<br />
=== Coordenação ===<br />
<br />
o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho: <br />
<br />
*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário. <br />
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.<br />
<br />
=== Processo ===<br />
<br />
O macroprocesso de tradução ficou definido como: <br />
<br />
#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc. <br />
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki <br />
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados <br />
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário <br />
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor <br />
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso.&lt;br&gt;<br />
<br />
<br />
=Project About=<br />
<br />
{{:Projects/OWASP Portuguese Language Project | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; &lt;BR&gt;<br />
<br />
[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Portuguese_Language_ProjectOWASP Portuguese Language Project2012-04-09T15:13:28Z<p>Sapao: </p>
<hr />
<div>= Main =<br />
<br />
== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==<br />
<br />
=== Uniformização ===<br />
<br />
será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas. <br />
<br />
=== Definição de prioridades ===<br />
<br />
dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução: <br />
<br />
*Top 10 <br />
*OpenSAMM (já existe uma tradução parcial) <br />
*Apresentações sobre o que é e como funciona o OWASP<br />
<br />
Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão: <br />
<br />
*OWASP Quick Reference <br />
*ASVS<br />
<br />
=== Coordenação ===<br />
<br />
o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho: <br />
<br />
*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário. <br />
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.<br />
<br />
=== Processo ===<br />
<br />
O macroprocesso de tradução ficou definido como: <br />
<br />
#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc. <br />
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki <br />
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados <br />
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário <br />
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor <br />
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso.&lt;br&gt;<br />
<br />
==Documentos disponíveis ==<br />
<br />
* [[OWASP Brasil Manifesto]]<br />
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP Portuguese Language Project | Project About}} <br />
<br />
&lt;br&gt; __NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Portuguese_Language_ProjectOWASP Portuguese Language Project2012-04-09T15:09:16Z<p>Sapao: </p>
<hr />
<div>= Main =<br />
<br />
== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==<br />
<br />
=== Uniformização ===<br />
<br />
será necessário um esforço para uniformizar a linguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a língua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas. <br />
<br />
=== Definição de prioridades ===<br />
<br />
dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução: <br />
<br />
*Top 10 <br />
*OpenSAMM (já existe uma tradução parcial) <br />
*Apresentações sobre o que é e como funciona o OWASP<br />
<br />
Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão: <br />
<br />
*OWASP Quick Reference <br />
*ASVS<br />
<br />
=== Coordenação ===<br />
<br />
o esforço deve ser coordenado para ser efetivo. O grupo deliberou o seguinte método de trabalho: <br />
<br />
*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a substituição de tradutores, quando necessário. <br />
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.<br />
<br />
=== Processo ===<br />
<br />
O macroprocesso de tradução ficou definido como: <br />
<br />
#cada tradução será dividida em nacos, que podem ser páginas, capítulos, partes, etc. <br />
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki <br />
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados <br />
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário <br />
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor <br />
#o documento completo dever ser novamente revisado, com o objetivo de uniformização do discurso.&lt;br&gt;<br />
<br />
=Documentos Disponíveis=<br />
<br />
* [[OWASP Brasil Manifesto]]<br />
* Melhores Práticas de Programação Segura OWASP - Guia de Referência Rápida ([https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-PT.pdf PT_PT] | [https://www.owasp.org/index.php/File:OWASP_SCP_v1.3_pt-BR.pdf PT_BR])<br />
<br />
= Project About =<br />
<br />
{{:Projects/OWASP Portuguese Language Project | Project About}} <br />
<br />
&lt;br&gt; __NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Connections_Committee_-_Application_9OWASP Connections Committee - Application 92012-03-14T15:41:48Z<p>Sapao: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]] <br />
<br />
----<br />
<br />
{| border=&quot;0&quot; align=&quot;center&quot; style=&quot;width: 100%;&quot;<br />
|-<br />
! align=&quot;center&quot; style=&quot;background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; colspan=&quot;2&quot; | &lt;font color=&quot;white&quot;&gt;'''COMMITTEE APPLICATION FORM'''&lt;/font&gt;<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''Applicant's Name''' <br />
| align=&quot;left&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; colspan=&quot;1&quot; | &lt;font color=&quot;black&quot;&gt;Luiz Eduardo Dos Santos&lt;/font&gt;<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''Current and past OWASP Roles''' <br />
| align=&quot;left&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; colspan=&quot;1&quot; | LATAM Regional Event Coordinator, Member<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''Committee Applying for''' <br />
| align=&quot;left&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; colspan=&quot;1&quot; | OWASP Connection Committee<br />
|}<br />
<br />
----<br />
<br />
&lt;br&gt; <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
&lt;br&gt; <br />
<br />
----<br />
<br />
{| border=&quot;0&quot; align=&quot;center&quot; style=&quot;width: 100%;&quot;<br />
|-<br />
! align=&quot;center&quot; style=&quot;background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; colspan=&quot;8&quot; | &lt;font color=&quot;white&quot;&gt;'''COMMITTEE RECOMMENDATIONS'''&lt;/font&gt;<br />
|-<br />
! align=&quot;center&quot; style=&quot;background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;&lt;/font&gt;<br />
! align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;'''Who Recommends/Name'''&lt;/font&gt;<br />
! align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;'''Role in OWASP'''&lt;/font&gt;<br />
! align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;'''Recommendation Content'''&lt;/font&gt;<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''1''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | Lucas C. Ferreira<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | Portuguese Project Leader, Conferences Committee Member<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | Luiz Eduardo is one of the best known security professionals in Brazil, has helped with the Program committee of AppSec Brasil 2011 and is very well connected to industry and academia folks around the globe. <br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''2''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''3''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''4''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY.<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''5''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY<br />
|}<br />
<br />
----</div>Sapaohttps://www.owasp.org/index.php/OWASP_Connections_Committee_-_Application_9OWASP Connections Committee - Application 92012-03-14T15:23:24Z<p>Sapao: </p>
<hr />
<div>[[How to Join a Committee|Click here to return to 'How to Join a Committee' page]] <br />
<br />
----<br />
<br />
{| border=&quot;0&quot; align=&quot;center&quot; style=&quot;width: 100%;&quot;<br />
|-<br />
! align=&quot;center&quot; style=&quot;background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; colspan=&quot;2&quot; | &lt;font color=&quot;white&quot;&gt;'''COMMITTEE APPLICATION FORM'''&lt;/font&gt;<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''Applicant's Name''' <br />
| align=&quot;left&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; colspan=&quot;1&quot; | &lt;font color=&quot;black&quot;&gt;Luiz Eduardo Dos Santos&lt;/font&gt;<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''Current and past OWASP Roles''' <br />
| align=&quot;left&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; colspan=&quot;1&quot; | LATAM Regional Event Coordinator, Member<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; width: 25%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''Committee Applying for''' <br />
| align=&quot;left&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 85%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; colspan=&quot;1&quot; | OWASP Connection Committee<br />
|}<br />
<br />
----<br />
<br />
&lt;br&gt; <br />
<br />
----<br />
<br />
Please be aware that for an application to be considered by the board, '''you MUST have 5 recommendations'''. An incomplete application will not be considered for vote. <br />
<br />
----<br />
<br />
&lt;br&gt; <br />
<br />
----<br />
<br />
{| border=&quot;0&quot; align=&quot;center&quot; style=&quot;width: 100%;&quot;<br />
|-<br />
! align=&quot;center&quot; style=&quot;background: rgb(64, 88, 160) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; colspan=&quot;8&quot; | &lt;font color=&quot;white&quot;&gt;'''COMMITTEE RECOMMENDATIONS'''&lt;/font&gt;<br />
|-<br />
! align=&quot;center&quot; style=&quot;background: white none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;&lt;/font&gt;<br />
! align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;'''Who Recommends/Name'''&lt;/font&gt;<br />
! align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;'''Role in OWASP'''&lt;/font&gt;<br />
! align=&quot;center&quot; style=&quot;background: rgb(123, 138, 189) none repeat scroll 0% 0%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous; color: white;&quot; | &lt;font color=&quot;black&quot;&gt;'''Recommendation Content'''&lt;/font&gt;<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''1''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | Lucas C. Ferreira<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | Protuguese Project Leader, Conferences Committee Member<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | Luiz Eduardo is one of the best known security professionals in Brazil, has helped with the Program committee of AppSec Brasil 2011 and is very well connected to industry and academia folks around the globe. <br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''2''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''3''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''4''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY.<br />
|-<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 3%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | '''5''' <br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | NAME<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 20%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | TITLE<br />
| align=&quot;center&quot; style=&quot;background: rgb(204, 204, 204) none repeat scroll 0% 0%; width: 57%; -moz-background-clip: border; -moz-background-origin: padding; -moz-background-inline-policy: continuous;&quot; | WHY<br />
|}<br />
<br />
----</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_ManifestoOWASP Brasil Manifesto2012-01-06T18:08:48Z<p>Sapao: /* Presentations */</p>
<hr />
<div>= Segurança na Web: Uma janela de oportunidades=<br />
<br />
== What is the manifesto ==<br />
This manifesto has been written by the OWASP Chapters in Brazil as a recommendation to the Brazilian Government. It aims to help government officials think about Application Security and recommends several lines of action that can improve the current panorama of application security.<br />
<br />
The document contains recommendations for legislators, consumer protection agencies, educators and general recommendations that any government agency can adopt.<br />
<br />
== Original portuguese version ==<br />
<br />
'''Wiki version:''' [[OWASP_Brasil_Manifesto/br]]<br />
<br />
'''PDF version''' [[media: Seguranca na web - uma janela de oportunidades.pdf]]<br />
<br />
== Translations ==<br />
<br />
[https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en English Template]: this can be adapted to fit the reality of your country.<br />
<br />
==Presentations==<br />
<br />
Spanish for the OWASP Latam Tour 2011: [[media: Manifesto.para.gobiernos.ppt]]<br />
<br />
Portuguese for SegInfo 2011: Slides [[media: Seguranca_na_web.ppt]] and [http://www.videolog.tv/SegInfo/videos/739416 link video]<br />
<br />
==Project==<br />
<br />
This document has been included in the [[OWASP Portuguese Language Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2011-11-02T23:53:37Z<p>Sapao: /* Database schema */</p>
<hr />
<div>==== Main ====<br />
<br />
=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
====Roadmap====<br />
<br />
[[Projects/OWASP_File_Hash_Repository/Roadmap]]<br />
<br />
====Documentation====<br />
<br />
==Database schema==<br />
<br />
The FHR database contains a single table, called File, described below:<br />
<br />
&lt;pre&gt;<br />
mysql&gt; show columns from File in FHR;<br />
+-----------+------------+------+-----+---------+----------------+<br />
| Field | Type | Null | Key | Default | Extra |<br />
+-----------+------------+------+-----+---------+----------------+<br />
| idFile | int(11) | NO | PRI | NULL | auto_increment |<br />
| SHA1 | char(40) | YES | MUL | NULL | |<br />
| MD5 | char(32) | YES | MUL | NULL | |<br />
| size | mediumtext | YES | | NULL | |<br />
| source | char(10) | YES | | NULL | |<br />
| date | date | YES | | NULL | |<br />
| status | char(10) | NO | | NULL | |<br />
| certainty | float | YES | | NULL | |<br />
+-----------+------------+------+-----+---------+----------------+<br />
8 rows in set (0.00 sec)<br />
&lt;/pre&gt;<br />
<br />
==Server Implementation Details==<br />
<br />
The DNS server is implemented in Java and is based on the EagleDNS server, which uses the dnsjava library. <br />
<br />
===EagleDNS extensions===<br />
The EagleDNS server is easily extended. It is based on the concept of Zone Providers, which provide specific implementations for the backend storage of zone data. The server provides two basic providers, one for loading data from simple zone files and another for loading data from a database.<br />
<br />
At first glance, it could seem that the database zone provider would be a perfect fit for FHR, but upon a closer examination, we quickly find out that it is not the case. The main reason is that EagleDNS uses the dnsjava Zone class to represent zone data. This implementation requires all zone data to be held in memory, which would be impossible for FHR since it will contain millions of entries, each corresponding to a DNS record.<br />
<br />
So we had to extend EagleDNS by implementing its ZoneProvider interface. And we also needed to extend the dnsjava Zone class functionality. This created a problem since the Zone class was not implemented to be extended. This required us to change the dnsjava source code and recompile this library before being able to implement all FHRZoneProvider class.<br />
<br />
The diffs for the dnsjava classes are available at [[OWASP_File_Hash_Repository/dnsjava_diffs]]<br />
<br />
===The FHRZoneProvider rationale===<br />
TODO.<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/Projects/OWASP_File_Hash_Repository/RoadmapProjects/OWASP File Hash Repository/Roadmap2011-11-02T22:53:31Z<p>Sapao: </p>
<hr />
<div># have a running version of the server able to answer queries via DNS<br />
# transform proof-of-concept code into production-ready code<br />
# have the server query sources for unknown hashes<br />
# implement other query interfaces (Web services, JSON, socket, etc)<br />
# incorporate new information sources<br />
# produce an upload interface</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2011-11-02T01:44:18Z<p>Sapao: </p>
<hr />
<div>==== Main ====<br />
<br />
=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
====Roadmap====<br />
<br />
[[Projects/OWASP_File_Hash_Repository/Roadmap]]<br />
<br />
====Documentation====<br />
<br />
==Database schema==<br />
<br />
The FHR database contains a single table, called File, described below:<br />
<br />
&lt;pre&gt;<br />
mysql&gt; show columns from File in FHR;<br />
+-----------+------------+------+-----+---------+----------------+<br />
| Field | Type | Null | Key | Default | Extra |<br />
+-----------+------------+------+-----+---------+----------------+<br />
| idFile | int(11) | NO | PRI | NULL | auto_increment |<br />
| SHA1 | char(40) | YES | MUL | NULL | |<br />
| MD5 | char(32) | YES | MUL | NULL | |<br />
| size | mediumtext | YES | | NULL | |<br />
| source | char(10) | YES | | NULL | |<br />
| date | date | YES | | NULL | |<br />
| status | char(10) | NO | | NULL | |<br />
| certainty | float | YES | | NULL | |<br />
+-----------+------------+------+-----+---------+----------------+<br />
8 rows in set (0.00 sec)<br />
<br />
&lt;/pre&gt;<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2011-11-02T01:36:02Z<p>Sapao: </p>
<hr />
<div>==== Main ====<br />
<br />
=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
====Roadmap====<br />
<br />
[[Projects/OWASP_File_Hash_Repository/Roadmap]]<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2011-10-31T23:06:58Z<p>Sapao: /* Testing the system */</p>
<hr />
<div>==== Main ====<br />
<br />
=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
To query the FHR, add the suffix .hash.sapao.net to the MD5 or SHA-1 hash (in hex format) of the file. For example:<br />
dig 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
or<br />
dig TXT 84C0C5914FF0B825141BA2C6A9E3D6F4.hash.sapao.net<br />
will query the database for the hash '''84C0C5914FF0B825141BA2C6A9E3D6F4'''.<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_File_Hash_RepositoryOWASP File Hash Repository2011-10-23T21:13:18Z<p>Sapao: </p>
<hr />
<div>==== Main ====<br />
<br />
=FHR FAQ=<br />
<br />
==What is FHR?==<br />
<br />
Simply put, FHR is a repository of hashes of files. But the idea is to go beyond just keeping a list of hashes: I want the repository to indicate when the file in question is (part of) a malware or when a file is recognized as benign. Thus, anyone could see the hash of a file to see if it corresponds to a malware file or an already known good file. <br />
<br />
==Aren't there already other sources for this information? ==<br />
<br />
Yes, and one of the ideas of the project is to aggregate and leverage information from already existing sources. For example, NIST has the [http://www.nsrl.nist.gov NSRL], which provides hashes of known benign files. The problem is that NIST provides this information in a text file whose download is over 1GB in size. Other known sources are Team Cymru's [http://www.team-cymru.org/Services/MHR/ MHR], [http://isc.sans.edu/tools/hashsearch.html SANS Institute's hash database] and [http://www.virustotal.com Virus Total]. In addition to aggregating the information, one of the main goals for FHR is to allow free access to its database. <br />
<br />
==Isn't free access to a database that contains malware dangerous?==<br />
Yes, it's dangerous, but the project repository will not contain malware. The repository will only have the hashes of malware, which poses no danger. <br />
<br />
==Detecting malware using only hashes is not good strategy.==<br />
Certainly, and the project is not intended to replace the current anti-virus scanners. However, the creation of hashes is more efficient and easier than creating generic virus detection algorithms and it is a strategy which is being used as a complement to traditional antivirus products. Several commercial products include uses of cloud computing as part of their strategies. Unfortunately, the producers of these technologies do not allow queries to their hash databases. With FHR, the goal is to create a freely available database to be used by everyone. <br />
<br />
==Will the FHR be integrated into antivirus systems?==<br />
We intend to develop clients to the FHR database that can scan workstations and query FHR's database to try to identify malware. These clients will be created as a proof of concept and will be open source. It would be great if some antivirus vendors start supporting FHR, but only time will tell. <br />
<br />
==Technically, how does the FHR work?==<br />
As expected, the core of the system is its database of hashes. Today this database runs on MySQL. Around this database, we can develop several query interfaces. Some ideas of protocols for querying the FHR database are:<br />
<br />
* DNS<br />
* web<br />
* web services<br />
* JSON<br />
<br />
The current codebase includes a DNS-based query interface.<br />
<br />
==What data are available in the database?==<br />
<br />
We currently have the a little more than 20 million files in the database. These come mainly from the NSRL and we included several PE files from Windows Vista and other common software. For each registered file, we have the following information:<br />
<br />
* SHA-1<br />
* MD5<br />
* source<br />
* date when the system saw the hash / file for the first time (not available for the files from NIST)<br />
* status (GOOD, MALWARE, UNKNOWN, SUSPICIOUS)<br />
* size<br />
* certainty (a percentage that indicates the degree of certainty about the status of the file).<br />
<br />
==Testing the system==<br />
<br />
We will soon integrate the system into the global DNS, so everyone can query the database through the DNS interface.<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP File Hash Repository | Project About}} <br />
<br />
__NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Tool]] [[Category:OWASP_Alpha_Quality_Tool]]<br />
[[Category:OWASP Project]]</div>Sapaohttps://www.owasp.org/index.php/BrasiliaBrasilia2011-09-12T21:14:47Z<p>Sapao: /* Local News */</p>
<hr />
<div>{{Chapter Template|chaptername=Brasilia|extra=The chapter leader is [mailto:lucas.ferreira@owasp.org Lucas Ferreira]|mailinglistsite=http://lists.owasp.org/mailman/listinfo/owasp-Brasilia|emailarchives=http://lists.owasp.org/pipermail/owasp-Brasilia}}<br />
<br />
&lt;paypal&gt;Brazil&lt;/paypal&gt;<br />
<br />
== Local News ==<br />
<br />
===Segundo encontro do capítulo===<br />
<br />
O segundo encontro do Capítulo Brasília será no dia 19/9 na UnB (auditório do CIC, no módulo 18 do minhocão, subsolo). Para mais detalhes, acesse [https://www.regonline.com/owaspbsb201109].<br />
<br />
Este encontro terá o patrocínio do [http://www.trainingtecnologia.com.br Grupo Training Tecnologia] como ''single meeting supporter''. Com isso, teremos um coffee-break para os participantes.<br />
<br />
&lt;center&gt;<br />
[[File:Logo_training_tecnologia.png‎]]<br />
&lt;/center&gt;<br />
<br />
===Encontro remarcado!!!===<br />
<br />
'''Primeiro encontro do Capítulo''' <br />
<br />
O primeiro encontro do Capítulo Brasília será dia 9/5 na UnB. Para mais detalhes sobre o local, acesse a [http://www.regonline.com/owaspbrasiliachaptermeeting página de inscrições].<br />
<br />
&lt;center&gt;<br />
'''[http://www.regonline.com/owaspbrasiliachaptermeeting Inscreva-se] já!!'''<br />
&lt;/center&gt;<br />
<br />
<br />
<br />
<br />
<br />
[[Category:OWASP Chapter]]<br />
[[Category:Brasil]]</div>Sapaohttps://www.owasp.org/index.php/File:Logo_training_tecnologia.pngFile:Logo training tecnologia.png2011-09-12T21:12:42Z<p>Sapao: </p>
<hr />
<div></div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_ManifestoOWASP Brasil Manifesto2011-08-16T00:12:01Z<p>Sapao: </p>
<hr />
<div>= Segurança na Web: Uma janela de oportunidades=<br />
<br />
== What is the manifesto ==<br />
This manifesto has been written by the OWASP Chapters in Brazil as a recommendation to the Brazilian Government. It aims to help government officials think about Application Security and recommends several lines of action that can improve the current panorama of application security.<br />
<br />
The document contains recommendations for legislators, consumer protection agencies, educators and general recommendations that any government agency can adopt.<br />
<br />
== Original portuguese version ==<br />
<br />
'''Wiki version:''' [[OWASP_Brasil_Manifesto/br]]<br />
<br />
'''PDF version''' [[media: Seguranca na web - uma janela de oportunidades.pdf]]<br />
<br />
== Translations ==<br />
<br />
[https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en English Template]: this can be adapted to fit the reality of your country.<br />
<br />
==Presentations==<br />
<br />
Spanish for the OWASP Latam Tour 2011: [[media: Manifesto.para.gobiernos.ppt]]<br />
<br />
Portuguese for SegInfo 2011: [[media: Seguranca_na_web.ppt]]<br />
<br />
==Project==<br />
<br />
This document has been included in the [[OWASP Portuguese Language Project]]</div>Sapaohttps://www.owasp.org/index.php/File:Seguranca_na_web.pptFile:Seguranca na web.ppt2011-08-16T00:11:31Z<p>Sapao: </p>
<hr />
<div></div>Sapaohttps://www.owasp.org/index.php/File:Manifesto.para.gobiernos.pptFile:Manifesto.para.gobiernos.ppt2011-08-16T00:08:23Z<p>Sapao: </p>
<hr />
<div></div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_ManifestoOWASP Brasil Manifesto2011-07-25T15:36:06Z<p>Sapao: /* Translations */</p>
<hr />
<div>= Segurança na Web: Uma janela de oportunidades=<br />
<br />
== What is the manifesto ==<br />
This manifesto has been written by the OWASP Chapters in Brazil as a recommendation to the Brazilian Government. It aims to help government officials think about Application Security and recommends several lines of action that can improve the current panorama of application security.<br />
<br />
The document contains recommendations for legislators, consumer protection agencies, educators and general recommendations that any government agency can adopt.<br />
<br />
== Original portuguese version ==<br />
<br />
'''Wiki version:''' [[OWASP_Brasil_Manifesto/br]]<br />
<br />
'''PDF version''' [[media: Seguranca na web - uma janela de oportunidades.pdf]]<br />
<br />
== Translations ==<br />
<br />
[https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en English Template]: this can be adapted to fit the reality of your country.<br />
<br />
==Project==<br />
<br />
This document has been included in the [[OWASP Portuguese Language Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/brOWASP Brasil Manifesto/br2011-07-13T00:41:39Z<p>Sapao: /* Segurança na Web: Uma janela de oportunidades */</p>
<hr />
<div>=The Brazilian Portuguese version of the manifesto in wiki format=<br />
<br />
Here, we will link to a page for each of the sections of the manifesto. This version is in Portuguese.<br />
<br />
== Segurança na Web: Uma janela de oportunidades ==<br />
<br />
'''Uma mensagem do OWASP Brasil ao Governo Brasileiro'''<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Sum%C3%A1rio_Executivo Sumário Executivo]<br />
* [https://www.owasp.org/index.php?title=OWASP_Brasil_Manifesto/br/A_inseguran%E7a_na_Web A Insegurança na Web]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_Projeto_OWASP O Projeto OWASP]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#O_que_pode_ser_feito.3F O que pode ser feito?]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_legisladores Por legisladores]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Permitir_e_incentivar_pesquisas_sobre_ataques_e_defesas_cibern.C3.A9ticas Permitir e incentivar pesquisas sobre ataques e defesas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_a_publica.C3.A7.C3.A3o_de_avalia.C3.A7.C3.B5es_de_seguran.C3.A7a Requerer a publicação de avaliações de segurança]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Criar_uma_ag.C3.AAncia_para_tratar_os_aspectos_de_divulga.C3.A7.C3.A3o_de_falhas_de_seguran.C3.A7a Criar uma agência para tratar os aspectos de divulgação de falhas de segurança]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_o_cumprimento_de_requisitos_m.C3.ADnimos_de_seguran.C3.A7a_em_contratos_governamentais Exigir o cumprimento de requisitos mínimos de segurança em contratos governamentais]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Responsabilizar_organiza.C3.A7.C3.B5es_que_n.C3.A3o_tratem_com_dilig.C3.AAncia_os_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Responsabilizar organizações que não tratem com diligência os aspectos de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_a_administra.C3.A7.C3.A3o_p.C3.BAblica_tenha_acesso_.C3.A0s_atualiza.C3.A7.C3.B5es_de_seguran.C3.A7a_de_qualquer_software_durante_a_sua_vida_.C3.BAtil Exigir que a administração pública tenha acesso às atualizações de segurança de qualquer software durante a sua vida útil]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_a_abertura_do_c.C3.B3digo_fonte_de_aplicativos_utilizados_pela_administra.C3.A7.C3.A3o_p.C3.BAblica_cuja_vida_.C3.BAtil_tenha_terminado Exigir a abertura do código fonte de aplicativos utilizados pela administração pública cuja vida útil tenha terminado]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Eliminar_licen.C3.A7as_de_software_que_isentam_os_fabricantes_da_responsabilidade_com_a_seguran.C3.A7a_de_seus_produtos Eliminar licenças de software que isentam os fabricantes da responsabilidade com a segurança de seus produtos]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_defesa_do_consumidor Por órgãos de defesa do consumidor]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Atuar_para_restringir_o_uso_de_licen.C3.A7as_de_software_abusivas Atuar para restringir o uso de licenças de software abusivas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_os_fabricantes_divulguem_informa.C3.A7.C3.B5es_intelig.C3.ADveis_sobre_o_n.C3.ADvel_de_seguran.C3.A7a_de_seus_produtos_e.2Fou_servi.C3.A7os Exigir que os fabricantes divulguem informações inteligíveis sobre o nível de segurança de seus produtos ou serviços]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_um_n.C3.ADvel_adequado_de_seguran.C3.A7a_de_sistemas_que_lidem_com_dados_que_possam_afetar_a_privacidade_dos_consumidores_ou_cidad.C3.A3os Exigir um nível adequado de segurança de sistemas que lidem com dados que possam afetar a privacidade dos consumidores ou cidadãos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_que_os_consumidores_devem_ser_informados_dos_poss.C3.ADveis_usos_dos_dados_inseridos_em_sistemas_ou_sites Definir que os consumidores devem ser informados dos possíveis usos dos dados inseridos em sistemas ou sites]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Estabelecer_campanhas_de_conscientiza.C3.A7.C3.A3o_de_seguran.C3.A7a_para_os_consumidores Estabelecer campanhas de conscientização de segurança para os consumidores]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_controle Por órgãos de controle]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_claramente_as_responsabilidades_com_rela.C3.A7.C3.A3o_aos_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Definir claramente as responsabilidades com relação aos aspectos de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Verificar_e_auditar_para_garantir_que_pr.C3.A1ticas_adequadas_de_seguran.C3.A7a_s.C3.A3o_adotadas Verificar e auditar para garantir que práticas adequadas de segurança são adotadas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Facilitar_a_cria.C3.A7.C3.A3o_de_um_mercado_de_seguros_para_a_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Facilitar a criação de um mercado de seguros para a segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_o_uso_de_conex.C3.B5es_criptografadas_.28SSL.29_para_aplica.C3.A7.C3.B5es_web Requerer o uso de conexões criptografadas (SSL) para aplicações web]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_ensino_e_pesquisa Por órgãos de ensino e pesquisa]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Inclus.C3.A3o_das_boas_pr.C3.A1ticas_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es_no_conte.C3.BAdo_dos_cursos Inclusão de práticas de segurança de aplicações no conteúdo dos cursos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Defini.C3.A7.C3.A3o_de_cursos_avan.C3.A7ados_para_forma.C3.A7.C3.A3o_de_m.C3.A3o-de-obra_na_.C3.A1rea Definição de cursos avançados para formação de mão-de-obra na área]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Fomentar_e_financiar_pesquisas_sobre_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Fomentar e financiar pesquisas sobre segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_a_forma.C3.A7.C3.A3o_de_profissionais_capazes_de_atuar_com_.C3.A9tica_e_responsabilidade Promover a formação de profissionais capazes de atuar com ética e responsabilidade]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_todos_os_.C3.B3rg.C3.A3os_p.C3.BAblicos Por todos os órgãos públicos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Financiar_valida.C3.A7.C3.B5es_e_corre.C3.A7.C3.B5es_de_seguran.C3.A7a_para_sistemas_de_c.C3.B3digo_aberto Financiar validações e correções de segurança para sistemas de código aberto]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_o_uso_de_tecnologias_e_metodologias_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Promover o uso de tecnologias e metodologias de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_e_permitir_testes_de_seguran.C3.A7a_de_forma_respons.C3.A1vel_mas_aberta Promover e permitir testes de segurança de forma responsável mas aberta]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_treinamento_e_conscientiza.C3.A7.C3.A3o_dos_gestores_para_os_desafios_da_seguran.C3.A7a_na_web Promover treinamento e conscientização dos gestores para os desafios da segurança na web]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Vantagens_competitivas_para_o_Brasil Vantagens competitivas para o Brasil]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Como_o_OWASP_pode_ajudar Como o OWASP pode ajudar?]<br />
* [https://www.owasp.org/index.php/Category:Brasil Contatos]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/brOWASP Brasil Manifesto/br2011-07-13T00:41:04Z<p>Sapao: /* Segurança na Web: Uma janela de oportunidades */</p>
<hr />
<div>=The Brazilian Portuguese version of the manifesto in wiki format=<br />
<br />
Here, we will link to a page for each of the sections of the manifesto. This version is in Portuguese.<br />
<br />
== Segurança na Web: Uma janela de oportunidades ==<br />
<br />
'''Uma mensagem do OWASP Brasil ao Governo Brasileiro'''<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Sum%C3%A1rio_Executivo Sumário Executivo]<br />
* [https://www.owasp.org/index.php?title=OWASP_Brasil_Manifesto/br/A_inseguran%E7a_na_Web A Insegurança na Web]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_Projeto_OWASP O Projeto OWASP]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#O_que_pode_ser_feito.3F O que pode ser feito?]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_legisladores Por legisladores]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Permitir_e_incentivar_pesquisas_sobre_ataques_e_defesas_cibern.C3.A9ticas Permitir e incentivar pesquisas sobre ataques e defesas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_a_publica.C3.A7.C3.A3o_de_avalia.C3.A7.C3.B5es_de_seguran.C3.A7a Requerer a publicação de avaliações de segurança]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Criar_uma_ag.C3.AAncia_para_tratar_os_aspectos_de_divulga.C3.A7.C3.A3o_de_falhas_de_seguran.C3.A7a Criar uma agência para tratar os aspectos de divulgação de flahas de segurança]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_o_cumprimento_de_requisitos_m.C3.ADnimos_de_seguran.C3.A7a_em_contratos_governamentais Exigir o cumprimento de requisitos mínimos de segurança em contratos governamentais]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Responsabilizar_organiza.C3.A7.C3.B5es_que_n.C3.A3o_tratem_com_dilig.C3.AAncia_os_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Responsabilizar organizações que não tratem com diligência os aspectos de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_a_administra.C3.A7.C3.A3o_p.C3.BAblica_tenha_acesso_.C3.A0s_atualiza.C3.A7.C3.B5es_de_seguran.C3.A7a_de_qualquer_software_durante_a_sua_vida_.C3.BAtil Exigir que a administração pública tenha acesso às atualizações de segurança de qualquer software durante a sua vida útil]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_a_abertura_do_c.C3.B3digo_fonte_de_aplicativos_utilizados_pela_administra.C3.A7.C3.A3o_p.C3.BAblica_cuja_vida_.C3.BAtil_tenha_terminado Exigir a abertura do código fonte de aplicativos utilizados pela administração pública cuja vida útil tenha terminado]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Eliminar_licen.C3.A7as_de_software_que_isentam_os_fabricantes_da_responsabilidade_com_a_seguran.C3.A7a_de_seus_produtos Eliminar licenças de software que isentam os fabricantes da responsabilidade com a segurança de seus produtos]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_defesa_do_consumidor Por órgãos de defesa do consumidor]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Atuar_para_restringir_o_uso_de_licen.C3.A7as_de_software_abusivas Atuar para restringir o uso de licenças de software abusivas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_os_fabricantes_divulguem_informa.C3.A7.C3.B5es_intelig.C3.ADveis_sobre_o_n.C3.ADvel_de_seguran.C3.A7a_de_seus_produtos_e.2Fou_servi.C3.A7os Exigir que os fabricantes divulguem informações inteligíveis sobre o nível de segurança de seus produtos ou serviços]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_um_n.C3.ADvel_adequado_de_seguran.C3.A7a_de_sistemas_que_lidem_com_dados_que_possam_afetar_a_privacidade_dos_consumidores_ou_cidad.C3.A3os Exigir um nível adequado de segurança de sistemas que lidem com dados que possam afetar a privacidade dos consumidores ou cidadãos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_que_os_consumidores_devem_ser_informados_dos_poss.C3.ADveis_usos_dos_dados_inseridos_em_sistemas_ou_sites Definir que os consumidores devem ser informados dos possíveis usos dos dados inseridos em sistemas ou sites]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Estabelecer_campanhas_de_conscientiza.C3.A7.C3.A3o_de_seguran.C3.A7a_para_os_consumidores Estabelecer campanhas de conscientização de segurança para os consumidores]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_controle Por órgãos de controle]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_claramente_as_responsabilidades_com_rela.C3.A7.C3.A3o_aos_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Definir claramente as responsabilidades com relação aos aspectos de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Verificar_e_auditar_para_garantir_que_pr.C3.A1ticas_adequadas_de_seguran.C3.A7a_s.C3.A3o_adotadas Verificar e auditar para garantir que práticas adequadas de segurança são adotadas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Facilitar_a_cria.C3.A7.C3.A3o_de_um_mercado_de_seguros_para_a_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Facilitar a criação de um mercado de seguros para a segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_o_uso_de_conex.C3.B5es_criptografadas_.28SSL.29_para_aplica.C3.A7.C3.B5es_web Requerer o uso de conexões criptografadas (SSL) para aplicações web]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_ensino_e_pesquisa Por órgãos de ensino e pesquisa]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Inclus.C3.A3o_das_boas_pr.C3.A1ticas_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es_no_conte.C3.BAdo_dos_cursos Inclusão de práticas de segurança de aplicações no conteúdo dos cursos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Defini.C3.A7.C3.A3o_de_cursos_avan.C3.A7ados_para_forma.C3.A7.C3.A3o_de_m.C3.A3o-de-obra_na_.C3.A1rea Definição de cursos avançados para formação de mão-de-obra na área]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Fomentar_e_financiar_pesquisas_sobre_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Fomentar e financiar pesquisas sobre segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_a_forma.C3.A7.C3.A3o_de_profissionais_capazes_de_atuar_com_.C3.A9tica_e_responsabilidade Promover a formação de profissionais capazes de atuar com ética e responsabilidade]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_todos_os_.C3.B3rg.C3.A3os_p.C3.BAblicos Por todos os órgãos públicos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Financiar_valida.C3.A7.C3.B5es_e_corre.C3.A7.C3.B5es_de_seguran.C3.A7a_para_sistemas_de_c.C3.B3digo_aberto Financiar validações e correções de segurança para sistemas de código aberto]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_o_uso_de_tecnologias_e_metodologias_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Promover o uso de tecnologias e metodologias de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_e_permitir_testes_de_seguran.C3.A7a_de_forma_respons.C3.A1vel_mas_aberta Promover e permitir testes de segurança de forma responsável mas aberta]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_treinamento_e_conscientiza.C3.A7.C3.A3o_dos_gestores_para_os_desafios_da_seguran.C3.A7a_na_web Promover treinamento e conscientização dos gestores para os desafios da segurança na web]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Vantagens_competitivas_para_o_Brasil Vantagens competitivas para o Brasil]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Como_o_OWASP_pode_ajudar Como o OWASP pode ajudar?]<br />
* [https://www.owasp.org/index.php/Category:Brasil Contatos]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Portuguese_Language_ProjectOWASP Portuguese Language Project2011-07-02T14:15:07Z<p>Sapao: </p>
<hr />
<div>==== Main ====<br />
<br />
== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==<br />
<br />
=== Uniformização ===<br />
<br />
será necessário um esforço para uniformizar a liguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a lígua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas. <br />
<br />
=== Definição de prioridades ===<br />
<br />
dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução: <br />
<br />
*Top 10 <br />
*OpenSAMM (já existe uma tarduação parcial) <br />
*Apresentações sobre o que é e como funciona o OWASP<br />
<br />
Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão: <br />
<br />
*OWASP Quick Reference <br />
*ASVS<br />
<br />
=== Coordenação ===<br />
<br />
o esfoço deve ser coordando para ser efetivo. O grupo deliberou o seguinte método de trabalho: <br />
<br />
*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a susbstituição de tradutores, quando necessário. <br />
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.<br />
<br />
=== Processo ===<br />
<br />
O macroprocesso de tradução ficou definido como: <br />
<br />
#cada tardução será devidida em nacos, que podem ser páginas, capítulos, partes, etc. <br />
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki <br />
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados <br />
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário <br />
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor <br />
#o documeneto completo dever ser novamente revisado, com o objetivo de uniformização do discurso.&lt;br&gt;<br />
<br />
====Documentos Disponíveis====<br />
<br />
* [[OWASP Brasil Manifesto]]<br />
* [[Media:OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Portuguese Language Project | Project About}} <br />
<br />
&lt;br&gt; __NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Portuguese_Language_ProjectOWASP Portuguese Language Project2011-07-02T14:14:38Z<p>Sapao: </p>
<hr />
<div>==== Main ====<br />
<br />
== Decisões da Sessão de Trabalho ocorrida no OWASP Summit 2011 ==<br />
<br />
=== Uniformização ===<br />
<br />
será necessário um esforço para uniformizar a liguagem utilizada nas traduções. Com base na experiência obtida pelo projeto de tradução para a lígua espanhola, foi definido que a primeira iniciativa neste sentido será a compilação de um glossário, com uma lista de palavras e expressões mais problemáticas e as traduções recomendadas. <br />
<br />
=== Definição de prioridades ===<br />
<br />
dada a grande quantidade de material disponibilizado pelo OWASP, é necessário priorizar os esforços de tradução. No Summit, ficaram escolhidos os seguintes documentos como tendo prioridade para tradução: <br />
<br />
*Top 10 <br />
*OpenSAMM (já existe uma tarduação parcial) <br />
*Apresentações sobre o que é e como funciona o OWASP<br />
<br />
Os documentos abaixo já tem uma tradução disponível e são prioridade para revisão: <br />
<br />
*OWASP Quick Reference <br />
*ASVS<br />
<br />
=== Coordenação ===<br />
<br />
o esfoço deve ser coordando para ser efetivo. O grupo deliberou o seguinte método de trabalho: <br />
<br />
*cada tradução terá um coordenador, responsável pela alocação de nacos de tradução, o controle da evolução da tradução, definição de prazos e a susbstituição de tradutores, quando necessário. <br />
*cada tradução deverá divulgar na wiki as informações necessárias para que se acompanhe a sua evolução.<br />
<br />
=== Processo ===<br />
<br />
O macroprocesso de tradução ficou definido como: <br />
<br />
#cada tardução será devidida em nacos, que podem ser páginas, capítulos, partes, etc. <br />
#o coordenador aloca os nacos aos tradutores e mantém um controle da alocação e dos prazos na wiki <br />
#o coordenador deve sempre verificar o andamento da tradução e o cumprimento dos prazos acordados <br />
#o coordenador pode manter uma lista de espera de tradutores que possam ser acionados caso seja necessário <br />
#todo naco traduzido deve ser revisado, preferencialmente por pessoa oriunda de país diferente do país de origem do tradutor <br />
#o documeneto completo dever ser novamente revisado, com o objetivo de uniformização do discurso.&lt;br&gt;<br />
<br />
====Documentos Disponíveis====<br />
<br />
[[OWASP Brasil Manifesto]]<br />
[[Media:OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]<br />
<br />
==== Project About ====<br />
<br />
{{:Projects/OWASP Portuguese Language Project | Project About}} <br />
<br />
&lt;br&gt; __NOTOC__ &lt;headertabs /&gt; <br />
<br />
[[Category:OWASP_Project|Portuguese Language Project]] [[Category:OWASP_Document]] [[Category:OWASP_Alpha_Quality_Document|OWASP Alpha Quality Document]]</div>Sapaohttps://www.owasp.org/index.php/Category:BrasilCategory:Brasil2011-07-02T14:13:41Z<p>Sapao: /* Documentos Publicados em Português (Portuguese Language Documents) */</p>
<hr />
<div>This [[:Special:Categories|category]] is meant to contain all [[:Category:OWASP Chapter|OWASP Chapters]] in Brasil.<br />
<br />
===Documentos Publicados em Português (Portuguese Language Documents)===<br />
<br />
* [http://code.google.com/p/webgoat-ptbr/downloads/list WebGoat em PT-BR]<br />
* [http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf OWASP Top Ten 2007]<br />
* [http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt Introdução ao OWASP]<br />
* [http://www.owasp.org/images/7/75/OWASP_TOP10_PT-BR.ppt Apresentação do Top Ten 2007 (PPT)]<br />
* [[media:OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]<br />
* [[media:Seguranca na web - uma janela de oportunidades.pdf]]<br />
<br />
<br />
[[Category:South America]]<br />
[[Category:Latin America]]</div>Sapaohttps://www.owasp.org/index.php/Category:BrasilCategory:Brasil2011-07-02T14:13:22Z<p>Sapao: /* Documentos Publicados em Português (Portuguese Language Documents) */</p>
<hr />
<div>This [[:Special:Categories|category]] is meant to contain all [[:Category:OWASP Chapter|OWASP Chapters]] in Brasil.<br />
<br />
===Documentos Publicados em Português (Portuguese Language Documents)===<br />
<br />
* [http://code.google.com/p/webgoat-ptbr/downloads/list WebGoat em PT-BR]<br />
* [http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf OWASP Top Ten 2007]<br />
* [http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt Introdução ao OWASP]<br />
* [http://www.owasp.org/images/7/75/OWASP_TOP10_PT-BR.ppt Apresentação do Top Ten 2007 (PPT)]<br />
* [[OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]]<br />
* [[media: Seguranca na web - uma janela de oportunidades.pdf]]<br />
<br />
<br />
[[Category:South America]]<br />
[[Category:Latin America]]</div>Sapaohttps://www.owasp.org/index.php/Category:BrasilCategory:Brasil2011-07-02T14:13:05Z<p>Sapao: /* Documentos Publicados em Português (Portuguese Language Documents) */</p>
<hr />
<div>This [[:Special:Categories|category]] is meant to contain all [[:Category:OWASP Chapter|OWASP Chapters]] in Brasil.<br />
<br />
===Documentos Publicados em Português (Portuguese Language Documents)===<br />
<br />
* [http://code.google.com/p/webgoat-ptbr/downloads/list WebGoat em PT-BR]<br />
* [http://www.owasp.org/images/4/42/OWASP_TOP_10_2007_PT-BR.pdf OWASP Top Ten 2007]<br />
* [http://www.owasp.org/images/b/b4/OWASP-Intro-2008-pt-br.ppt Introdução ao OWASP]<br />
* [http://www.owasp.org/images/7/75/OWASP_TOP10_PT-BR.ppt Apresentação do Top Ten 2007 (PPT)]<br />
* [[OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdf]<br />
* [[media: Seguranca na web - uma janela de oportunidades.pdf]]<br />
<br />
<br />
[[Category:South America]]<br />
[[Category:Latin America]]</div>Sapaohttps://www.owasp.org/index.php/File:OWASP_SCP_Quick_Reference_PT-BR_v1.2.pdfFile:OWASP SCP Quick Reference PT-BR v1.2.pdf2011-07-02T14:11:27Z<p>Sapao: </p>
<hr />
<div></div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-24T17:48:13Z<p>Sapao: /* How can OWASP help? */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''A white paper from OWASP to Governments'''<br />
<br />
==Executive Summary==<br />
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.<br />
<br />
Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the Internet using a computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of the network users.<br />
<br />
Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society. <br />
<br />
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.<br />
<br />
CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007. <br />
<br />
add local statistics here.<br />
<br />
The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
==The Open Web Application Security Project==<br />
<br />
OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are free to use and distribute.<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is not the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of security assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate security practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course content====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.<br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.<br />
<br />
The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-24T17:47:01Z<p>Sapao: /* Allow and encourage research on cyber attacks and defenses */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''A white paper from OWASP to Governments'''<br />
<br />
==Executive Summary==<br />
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.<br />
<br />
Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the Internet using a computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of the network users.<br />
<br />
Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society. <br />
<br />
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.<br />
<br />
CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007. <br />
<br />
add local statistics here.<br />
<br />
The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
==The Open Web Application Security Project==<br />
<br />
OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are free to use and distribute.<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is not the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of security assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate security practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course content====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.<br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.<br />
<br />
The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-24T17:44:53Z<p>Sapao: /* The Open Web Application Security Project */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''A white paper from OWASP to Governments'''<br />
<br />
==Executive Summary==<br />
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.<br />
<br />
Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the Internet using a computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of the network users.<br />
<br />
Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society. <br />
<br />
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.<br />
<br />
CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007. <br />
<br />
add local statistics here.<br />
<br />
The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
==The Open Web Application Security Project==<br />
<br />
OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are free to use and distribute.<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of security assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate security practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course content====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.<br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.<br />
<br />
The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-24T17:42:29Z<p>Sapao: /* Web Insecurity */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''A white paper from OWASP to Governments'''<br />
<br />
==Executive Summary==<br />
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.<br />
<br />
Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the Internet using a computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of the network users.<br />
<br />
Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society. <br />
<br />
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.<br />
<br />
CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007. <br />
<br />
add local statistics here.<br />
<br />
The state of Internet security is delicate and tends to worsen as society increases its dependency on this network and its applications. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, securing the foundation is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
==The Open Web Application Security Project==<br />
<br />
OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of security assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate security practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course content====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.<br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.<br />
<br />
The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-24T17:32:47Z<p>Sapao: /* Executive Summary */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''A white paper from OWASP to Governments'''<br />
<br />
==Executive Summary==<br />
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in cities around the world. This document presents the vision of the Brazilian OWASP community on how the governments can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Internet and related software applications.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the local Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
The experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.<br />
<br />
Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the Internet using a computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of the network users.<br />
<br />
Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society. <br />
<br />
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.<br />
<br />
CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007. <br />
<br />
add local statistics here.<br />
<br />
The state of Internet security is delicate and tends to worsen as society increases its dependency on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
==The Open Web Application Security Project==<br />
<br />
OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of security assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate security practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course content====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.<br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.<br />
<br />
The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-24T17:30:10Z<p>Sapao: /* Web Security - A Window of Opportunity */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''A white paper from OWASP to Governments'''<br />
<br />
==Executive Summary==<br />
The Open Web Application Security Project (OWASP) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security of the Brazilian Internet and related software applications.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
Brazilian experts that participate in OWASP are willing to contribute to the country, to help it move in the right direction and, for example, could serve as an advisory body or provide a channel for liaison with foreign experts if necessary. The OWASP organization is non-profit, and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% and 350% for North America and Europe respectively.<br />
<br />
Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the Internet using a computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of electronic government (e-gov), involving strategies which provide services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet has included and also changed the routines of millions of people. E-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut and Twitter, are a reality in the lives of individuals and companies, and have gained importance as tools for community building as well as for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in part of the network. However, this infrastructure depends on computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the worldwide network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of the network users.<br />
<br />
Flaws in Internet security are common and make the news almost daily. There are many examples reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank fraud is perhaps the greatest example of exploitation of security flaws, but other types of attacks against sites and systems exist and can cause damage to society. <br />
<br />
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as is the unavailability of well known web sites and networks such as Sony's Playstation network.<br />
<br />
CERT/CC, the Computer Emergency Response Team, coordinates response to Internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007. <br />
<br />
add local statistics here.<br />
<br />
The state of Internet security is delicate and tends to worsen as society increases its dependency on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial markets, and the consequences could be devastating for society as a whole. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
==The Open Web Application Security Project==<br />
<br />
OWASP is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP are free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Its freedom from commercial pressures allows it to provide unbiased, practical, cost-effective advice on application security. OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality of the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of security assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information than the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of government can not be ignored and must be used in favor of society. In the context of software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding suppliers accountable in case of failures in security.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Like other government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for penalties to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities. Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of its life, software manufacturers often stop publishing updates and security fixes, which increases the risk to organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been long-abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary consumer protection practices, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are required and public or private organizations that do not adequately protect personal information should be liable. Personal information leaks should be penalized and should be disclosed. In particular, all those individuals potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only must organizations protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations are obligated to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their own computer device to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand the adoption of appropriate practices for application security in sectors they oversee. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate security practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best application security practices were properly adopted and implemented. We believe that audits are an opportunity to improve the practices adopted by organizations, and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to improve their security posture.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, one simple measure to improve the security of web systems is to require that data must be transmitted securely over the Internet network.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have a prosperous application security market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. Training should occur by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. The interaction of educational and research institutions with industry for technology transfer and productization is greatly needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course content====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known by all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take a world leadership role in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create a market in application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either undertaking awareness and training, or by using its purchasing power to favor companies that treat the security aspects of applications adequately.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in publishing secure configurations, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals currently have an advantage. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults used as a currency in the digital underworld.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in appropriate training and awareness sessions.<br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value, and therefore has the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in cyber-conflicts, cyber espionage and electronic warfare.<br />
<br />
The development of this field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investment, especially investment in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-20T01:04:52Z<p>Sapao: /* Web Insecurity */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''An open letter from OWASP Brazil to the Brazilian Government'''<br />
<br />
==Executive Summary==<br />
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% for North america and 350%.<br />
<br />
The Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of e-gov, or electronic government, strategies which consist in providing services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet is also included in and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in parts of the network. However, this infrastructure depends on a number of computer programs, called software. It is the software that defines the rules for the operation of computers, routers and other components of the Worldwide Network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of the network users.<br />
<br />
Flaws in Internet security are common and make the news almost daily. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud against sites and systems exist and can cause damage to society. <br />
<br />
The dependence of our society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of well known web sites and networks such as Sony's playstation network.<br />
<br />
CERT/CC, the Computer Emergency Response Team, coordinates response to internet related emergencies and attacks. The CERT statistics show that the number of catalogued vulnerabilities increased from 417 in 1999 to 7236 in 2007. <br />
<br />
add local statistics here.<br />
<br />
The state of Internet security is delicate and tends to worsen as society increases its dependency on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that the basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
==The OWASP Project==<br />
<br />
The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of safety assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities.<br />
Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate safety practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course contents====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard. <br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.<br />
<br />
The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-19T18:16:05Z<p>Sapao: /* Web Insecurity */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''An open letter from OWASP Brazil to the Brazilian Government'''<br />
<br />
==Executive Summary==<br />
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
This section is highly dependent of the local reality and should be adapted for each geographic region.<br />
The text below shows an example written for the Brazilian reality.<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% for North america and 350%.<br />
<br />
The Internet access methods also have diversified and now include everything from traditional cybercafes to cell phones, including dialup and broadband. Thus, the range of users goes from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the computer or cell phone when and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, it is very difficult today to find an organization which does not rely on the Internet in some way.<br />
<br />
Also, governments have invested in the use of e-gov, or electronic government, strategies which consist in providing services to the population via the Internet.<br />
<br />
add e-gov examples here.<br />
<br />
If seen as a communications tool, the Internet is also included in and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most people for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.<br />
<br />
cont. here<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in the network. However, this infrastructure depends on a number of computer programs, called software.It is software that defines the rules for the operation of computers, routers and other components of the World Network. <br />
<br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of users of the network.<br />
<br />
Flaws in Internet security are common and usually part of the news. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud sites and systems exist and can cause damage to the population. <br />
<br />
The dependence of society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of large government systems (Denatran, IRPF, SISU).<br />
<br />
CERT.br, the Centre for Studies, Response and Treatment of Security Incidents in Brazil, is the Brazilian Internet Steering Committee agency which collects information on attacks on the Brazilian Internet. The CERT.br statistics# show that the number of attacks to Brazilian Networks increased from 3107 in 1999 to 358,343 in 2009, an increase of 100 times in 10 years. <br />
<br />
The state of Internet security is delicate and tends to worsen as society becomes increasingly dependent on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that tehe basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
Brazil was far less affected by the subprime crisis than other countries because it already had built a solid foundation for its financial market. It's time to learn from this experience and prepare ourselves well in other important sectors of our economy and our daily lives.<br />
<br />
==The OWASP Project==<br />
<br />
The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of safety assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities.<br />
Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate safety practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course contents====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard. <br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.<br />
<br />
The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-19T16:33:49Z<p>Sapao: /* Web Insecurity */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''An open letter from OWASP Brazil to the Brazilian Government'''<br />
<br />
==Executive Summary==<br />
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
This section is highly dependent of the local reality and should be adapted for each geographic region.<br />
The text below shows an example written for the Brazilian reality.<br />
<br />
The Internet is now a reality in the lives of most people, as shown by usage statistics. The [http://www.internetworldstats.com/ Internet World Stats] web site [http://www.internetworldstats.com/stats.htm reports] that about 80% of North Americans and 60% of Europeans are Internet users. The IWS also reports growth rates from 2010 to 2011 of more than 150% for North america and 350%.<br />
<br />
The Internet access methods also have diversified and now include everything from traditional telecenters and cybercafes to access via the cellular, as well as dialup and broadband. Thus, the range of users going from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the computer or cell phone at all times and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, today is very difficult to find any organization that does not rely on the Internet in some way. With the advent of electronic invoice, the Internet gains even greater importance in day-to-day business.<br />
<br />
Also, the Brazilian government has invested in the use of e-gov strategies, or electronic government, which consist in providing services to the population via the Internet. The most important example in this area is, without doubt, the Income Tax of Individuals, who in 2011 started to be accepted only in electronic format. Another example is the large-scale SISU - Unified Selection System of the Ministry of Education. Other services, while not available on the Internet, have similar characteristics and have the potential to stop the country as the Brazilian Payment System (SPB), maintained by the Central Bank. <br />
<br />
The Judiciary also strides in its computerization and uses of the Internet to provide services to citizens. Examples are the widespread use of electronic processes# and judicial process monitoring over the web. Many courts are studying ways to enable joining documents and the opening of proceedings by electronic means, especially via the Internet.<br />
<br />
In the aspect of communications, the Internet is also incorporated and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most of the population as tools for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in the network. However, this infrastructure depends on a number of computer programs, called software.It is software that defines the rules for the operation of computers, routers and other components of the World Network. <br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of users of the network.<br />
<br />
Flaws in Internet security are common and usually part of the news. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud sites and systems exist and can cause damage to the population. <br />
<br />
The dependence of society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of large government systems (Denatran, IRPF, SISU).<br />
<br />
CERT.br, the Centre for Studies, Response and Treatment of Security Incidents in Brazil, is the Brazilian Internet Steering Committee agency which collects information on attacks on the Brazilian Internet. The CERT.br statistics# show that the number of attacks to Brazilian Networks increased from 3107 in 1999 to 358,343 in 2009, an increase of 100 times in 10 years. <br />
<br />
The state of Internet security is delicate and tends to worsen as society becomes increasingly dependent on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that tehe basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
Brazil was far less affected by the subprime crisis than other countries because it already had built a solid foundation for its financial market. It's time to learn from this experience and prepare ourselves well in other important sectors of our economy and our daily lives.<br />
<br />
==The OWASP Project==<br />
<br />
The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of safety assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities.<br />
Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate safety practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course contents====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard. <br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.<br />
<br />
The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-19T16:00:42Z<p>Sapao: /* Executive Summary */</p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''An open letter from OWASP Brazil to the Brazilian Government'''<br />
<br />
==Executive Summary==<br />
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research institutions<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
This section is highly dependent of the local reality and should be adapted for each geographic region.<br />
The text below shows an example written for the Brazilian reality.<br />
<br />
The Internet is now a reality in the lives of most people, as shown by the statistics of numbers of users. IBGE in 2009 indicated that 27.4% of Brazilian households had Internet access and 67.9 million people were users of Internet in the sameyear#.The surveys also indicate a rapid growth in the number of Internet users, with an increase of 112.9% between 2005 and 2009.<br />
<br />
The Internet access methods also have diversified and now include everything from traditional telecenters and cybercafes to access via the cellular, as well as dialup and broadband. Thus, the range of users going from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the computer or cell phone at all times and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, today is very difficult to find any organization that does not rely on the Internet in some way. With the advent of electronic invoice, the Internet gains even greater importance in day-to-day business.<br />
<br />
Also, the Brazilian government has invested in the use of e-gov strategies, or electronic government, which consist in providing services to the population via the Internet. The most important example in this area is, without doubt, the Income Tax of Individuals, who in 2011 started to be accepted only in electronic format. Another example is the large-scale SISU - Unified Selection System of the Ministry of Education. Other services, while not available on the Internet, have similar characteristics and have the potential to stop the country as the Brazilian Payment System (SPB), maintained by the Central Bank. <br />
<br />
The Judiciary also strides in its computerization and uses of the Internet to provide services to citizens. Examples are the widespread use of electronic processes# and judicial process monitoring over the web. Many courts are studying ways to enable joining documents and the opening of proceedings by electronic means, especially via the Internet.<br />
<br />
In the aspect of communications, the Internet is also incorporated and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most of the population as tools for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in the network. However, this infrastructure depends on a number of computer programs, called software.It is software that defines the rules for the operation of computers, routers and other components of the World Network. <br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of users of the network.<br />
<br />
Flaws in Internet security are common and usually part of the news. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud sites and systems exist and can cause damage to the population. <br />
<br />
The dependence of society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of large government systems (Denatran, IRPF, SISU).<br />
<br />
CERT.br, the Centre for Studies, Response and Treatment of Security Incidents in Brazil, is the Brazilian Internet Steering Committee agency which collects information on attacks on the Brazilian Internet. The CERT.br statistics# show that the number of attacks to Brazilian Networks increased from 3107 in 1999 to 358,343 in 2009, an increase of 100 times in 10 years. <br />
<br />
The state of Internet security is delicate and tends to worsen as society becomes increasingly dependent on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that tehe basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
Brazil was far less affected by the subprime crisis than other countries because it already had built a solid foundation for its financial market. It's time to learn from this experience and prepare ourselves well in other important sectors of our economy and our daily lives.<br />
<br />
==The OWASP Project==<br />
<br />
The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of safety assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities.<br />
Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate safety practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course contents====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard. <br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.<br />
<br />
The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_ManifestoOWASP Brasil Manifesto2011-06-19T02:13:38Z<p>Sapao: /* Translations */</p>
<hr />
<div>= Segurança na Web: Uma janela de oportunidades=<br />
<br />
== What is the manifesto ==<br />
This manifesto has been written by the OWASP Chapters in Brazil as a recommendation to the Brazilian Government. It aims to help government officials think about Application Security and recommends several lines of action that can improve the current panorama of application security.<br />
<br />
The document contains recommendations for legislators, consumer protection agencies, educators and general recommendations that any government agency can adopt.<br />
<br />
== Original portuguese version ==<br />
<br />
'''Wiki version:''' [[OWASP_Brasil_Manifesto/br]]<br />
<br />
'''PDF version''' [[media: Seguranca na web - uma janela de oportunidades.pdf]]<br />
<br />
== Translations ==<br />
<br />
[https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en Draft English Translation]<br />
<br />
==Project==<br />
<br />
This document has been included in the [[OWASP Portuguese Language Project]]</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/enOWASP Brasil Manifesto/en2011-06-18T17:38:04Z<p>Sapao: </p>
<hr />
<div>=Web Security - A Window of Opportunity=<br />
'''An open letter from OWASP Brazil to the Brazilian Government'''<br />
<br />
==Executive Summary==<br />
OWASP (Open Web Application Security Project) is a global and open community focused on improving the security of software systems and has chapters in several Brazilian cities. This document presents the vision of the Brazilian OWASP community on how the Brazilian government can act to improve security on the Internet.<br />
<br />
In this paper, we present suggestions and recommendations regarding public policy, legislation and other activities that we believe could contribute to improving the security environment in the Brazilian Internet.<br />
<br />
The recommendations are divided according to the focus of each agency:<br />
* legislators<br />
* consumer protection bodies<br />
* control and audit bodies<br />
* teaching and research entities<br />
* all public bodies<br />
<br />
The recommendations do not have dependencies on each other, but we believe that maximum efficiency occurs with the implementation of all recommendations. Improving security in the Brazilian Internet could bring several advantages for the country, such as the attraction of investment, training of the workforce and the development of an industry capable of exporting products and services with high added value.<br />
<br />
Brazilian experts that participate in OWASP are willing to contribute to the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. The OWASP non-profit and all specialists involved are volunteers.<br />
<br />
==Web Insecurity==<br />
<br />
This section is highly dependent of the local reality and should be adapted for each geographic region.<br />
The text below shows an example written for the Brazilian reality.<br />
<br />
The Internet is now a reality in the lives of most people, as shown by the statistics of numbers of users. IBGE in 2009 indicated that 27.4% of Brazilian households had Internet access and 67.9 million people were users of Internet in the sameyear#.The surveys also indicate a rapid growth in the number of Internet users, with an increase of 112.9% between 2005 and 2009.<br />
<br />
The Internet access methods also have diversified and now include everything from traditional telecenters and cybercafes to access via the cellular, as well as dialup and broadband. Thus, the range of users going from the casual user who accesses from a public computer to &quot;always connected&quot; users, accessing the computer or cell phone at all times and wherever they are.<br />
<br />
Whatever the frequency or access method, it is undeniable that the Internet is now part of everyday life. Companies also increasingly rely on the Internet as a business tool. Even disregarding businesses that exist solely on the Internet, today is very difficult to find any organization that does not rely on the Internet in some way. With the advent of electronic invoice, the Internet gains even greater importance in day-to-day business.<br />
<br />
Also, the Brazilian government has invested in the use of e-gov strategies, or electronic government, which consist in providing services to the population via the Internet. The most important example in this area is, without doubt, the Income Tax of Individuals, who in 2011 started to be accepted only in electronic format. Another example is the large-scale SISU - Unified Selection System of the Ministry of Education. Other services, while not available on the Internet, have similar characteristics and have the potential to stop the country as the Brazilian Payment System (SPB), maintained by the Central Bank. <br />
<br />
The Judiciary also strides in its computerization and uses of the Internet to provide services to citizens. Examples are the widespread use of electronic processes# and judicial process monitoring over the web. Many courts are studying ways to enable joining documents and the opening of proceedings by electronic means, especially via the Internet.<br />
<br />
In the aspect of communications, the Internet is also incorporated and also changed the routine of millions of people. The e-mail is almost as popular as the telephone. Instant messaging systems, such as MSN Messenger or Google Talk, are used by most of the population as tools for work or for leisure. Social networks like Facebook, Orkut or Twitter, are a reality in the lives of individuals and companies and gain importance as tools for community building and also for business.<br />
<br />
Although it is becoming essential to society, the Internet is inherently an insecure infrastructure. Designed in the 1960s to withstand a nuclear attack, the Internet is able to continue operating even if a disaster occurs in the network. However, this infrastructure depends on a number of computer programs, called software.It is software that defines the rules for the operation of computers, routers and other components of the World Network. <br />
As in all human activity, software development is prone to errors. Mistakes in software can lead to failures, including security breaches. Laurence Lessig, a law professor at Harvard University, said that &quot;Code is law&quot;, ie, the software is the law that governs the Internet. As a result, the &quot;laws&quot; governing the Internet are flawed and these flaws can cause problems for the security of users of the network.<br />
<br />
Flaws in Internet security are common and usually part of the news. There are several cases reported by police of criminals who use the Internet to commit their crimes. In most cases, crimes are possible due to a lack of an adequate level of security in systems. Bank frauds are perhaps the greatest example of exploitation of security flaws, but other types of fraud sites and systems exist and can cause damage to the population. <br />
<br />
The dependence of society on Internet services is such that the mere unavailability of some of these services (often caused by bad guys using techniques that exploit security holes in Internet infrastructure) is featured on the evening news, as the unavailability of large government systems (Denatran, IRPF, SISU).<br />
<br />
CERT.br, the Centre for Studies, Response and Treatment of Security Incidents in Brazil, is the Brazilian Internet Steering Committee agency which collects information on attacks on the Brazilian Internet. The CERT.br statistics# show that the number of attacks to Brazilian Networks increased from 3107 in 1999 to 358,343 in 2009, an increase of 100 times in 10 years. <br />
<br />
The state of Internet security is delicate and tends to worsen as society becomes increasingly dependent on this infrastructure. In an analogy with recent financial market crisis (subprime crisis in the housing market), we have a vibrant ecosystem of applications and Web sites whose base is not solid enough. The risk is real that tehe basis of this ecosystem can collapse, as happened with the financial market, and the consequences could be devastating for the whole society. As in the case of financial markets, solidifying the infrastructure is important and the cost is certainly lower than expected if there were a crisis before acting.<br />
<br />
Brazil was far less affected by the subprime crisis than other countries because it already had built a solid foundation for its financial market. It's time to learn from this experience and prepare ourselves well in other important sectors of our economy and our daily lives.<br />
<br />
==The OWASP Project==<br />
<br />
The OWASP (Open Web Application Security Project) is a global community, focused on improving software security. There are over 180 local OWASP chapters in all regions of the globe that bring together the world's leading experts in application security.<br />
<br />
OWASP is an open community dedicated to empowering organizations to be able to conceive, develop, acquire, operate and maintain systems that are reliable. All tools, documents, forums, and sections of OWASP is free and open to anyone interested in improving application security. <br />
<br />
OWASP is a new type of organization. Our freedom from commercial pressures allows us to provide unbiased, practical, cost-effective advice on application security. The OWASP is not affiliated with any technology company, while supporting the informed use of commercial security technology. As many open-source software projects, OWASP produces many types of materials in a collaborative and open manner. <br />
<br />
The OWASP project has among its documents and important tools for maintaining the security of applications and also promotes important conferences in this area. All OWASP projects are published using [https://www.owasp.org/index.php/OWASP_Licenses free software or Creative Commons licenses].<br />
<br />
OWASP is a non-profit and its members participate in its activities voluntarily. All proceeds of the project come from donations and are used to support its activities and its infrastructure.<br />
<br />
==What can we do?==<br />
<br />
Given the importance of software in today's economy, it is imperative that governments act to develop a market capable of producing software whose security level is appropriate to its intended usage and the importance of the information it will process or store. In this section, we list some recommendations of what can be done to improve the prospects for software security.<br />
<br />
We believe that the actions proposed here have the potential to improve the security of software systems used by millions of people and also to promote a thriving industry able to put our country among the world leaders, creating prosperity and economic growth.<br />
<br />
===By legislators===<br />
<br />
The current software market provides incentives that emphasize functionality over security. As a result, everyone ends up suffering from the lack of security that is today's reality in the Internet. It is necessary that governments acts to create incentives for the adoption of safe practices in system development and also make accountable the people and organizations that do not properly address the security aspects of their applications.<br />
<br />
Some suggested actions are:<br />
<br />
====Allow and encourage research on cyber attacks and defenses====<br />
<br />
Cyber crime legislation is needed and OWASP's position is the protection of illegal or harmful activities. However, OWASP realizes that some initiatives to legislate about electronic crimes may also hamper legitimate activities and the much needed research that will allow us to correctly address security vulnerabilities. <br />
<br />
We believe that legislation should focus on intent, criminalizing activities that aim to cause damage to society and enabling research activities that benefit society by creating knowledge crucial to the improvement of secure systems.<br />
<br />
====Require the publication of safety assessments====<br />
<br />
Disseminating information about security vulnerabilities is essential to enable society to protect itself from attacks that exploit these faults. Today we know that criminals involved in digital networks do exchange information and have ample access to descriptions of failures and new attack techniques. In other words, criminals now have more access to information that the teams responsible for maintaining the security of network providers, companies or the government.<br />
<br />
As with the aviation industry, where the failures are thoroughly investigated and the results of investigations are published, it is important that the flaws found in computer systems and the description of attacks suffered by organizations are widely disseminated, allowing the whole society to learn from the problems that occurred in order to evolve the security of systems on which we depend.<br />
<br />
====Create an agency to address the aspects of disclosure of security flaws====<br />
<br />
With the publication of laws requiring disclosure of security breaches, it is important to regulate this activity. We suggest the creation of a specialized government agency to regulate and manage the activities of exchanging information on security vulnerabilities in an ethical and responsible way, including the power to punish people and organizations that act in a manner harmful to society.<br />
<br />
====Require compliance with minimum security requirements in government contracts====<br />
<br />
The purchasing power of the State can not be ignored and must be used in favor of society. With respect to software security, the government can set minimum security criteria and require qualification and use of technical protections in systems provided to the government. An important aspect is the possibility of holding the suppliers accountable in case of failures in safety systems.<br />
<br />
====Make organizations which are not diligent about software security accountable====<br />
<br />
Just as government suppliers, all organizations must be legally responsible for the security of systems that operate or sell. The legislation should provide for punishment to those organizations that fail to take adequate measures to ensure the security of their systems. The suppliers of the technologies used should also be liable.<br />
<br />
====Require that the government have access to security updates for all software during its lifetime====<br />
<br />
It is imperative that the systems used by public agencies are always updated with all the security fixes, so they are not affected by known vulnerabilities.<br />
Thus, legislation is needed to determine that the government must have access to security fixes for systems that it employs for the duration of the useful life of these systems and regardless of the existence of maintenance contracts.<br />
<br />
====Require open sourcing of applications used by the government and whose lifetime has expired====<br />
<br />
It is quite common for software manufacturers to restrict the lifetime of their systems, mainly because of the release of new versions of these systems. At the end of life of a software, manufacturers stop publishing updates and security fixes, which increases the risk of organizations still relying on these versions.<br />
<br />
It is also quite common in government agencies to keep using systems that have been abandoned by manufacturers but that still meet the needs of the public administration. Allowing the government to protect itself in case of failures in these systems requires the creation of legislation to compel manufacturers to make available the source code for these systems so that the government is able to perform the necessary maintenance, since the manufacturer no longer maintains the system. The manufacturer may also choose to provide the most current version of the software, provided there is no cost to the government.<br />
<br />
====Eliminate software licenses which exempt manufacturers from liability for the security of their products====<br />
<br />
Many of the current software licenses restrict the liability of the manufacturer in case of software security flaws. It is important to have legislation that prevents a software manufacturer to avoid liability for the safety and security of the products it sells.<br />
<br />
To avoid distortions in the software market, manufacturers' liability may be limited to the amount paid.<br />
<br />
===For consumer protection agencies===<br />
<br />
Our understanding is that the protection of customer information is part of the necessary practices of consumer protections, as well as to supply systems free of defects, especially defects that may compromise the security of its users. Thus, consumer protection agencies can and should act to improve the security landscape for consumers.<br />
<br />
We suggest the following actions:<br />
<br />
====Act to restrict the use of abusive software licenses ====<br />
<br />
This action is similar and complementary to the item &quot;Eliminate software licenses which exempt manufacturers from liability for the security of their products, &quot; described above.<br />
<br />
====Require manufacturers to disclose understandable information on the security level of their products or services====<br />
<br />
As with manufacturers of electrical and electronic goods that must disclose information on energy consumption of their products, consumers have the right to know about the characteristics and the level of security provided by the computer systems they use.<br />
<br />
It is imperative to create a system that allows consumers to check the level of security a software product provides as part of their decision-making process. Such a system would reduce some of the perverse externalities of the software market and create incentives for software producers to enhance the security of their products.<br />
<br />
In this item, it is possible to quote existing local consumer rights legislation regarding defects in acquired products.<br />
<br />
====Require an adequate level of security for systems that deal with private data====<br />
<br />
Many organizations collect private information from their clients during their business relationships, but do not always protect this information adequately. Thus, the definition of minimum procedures for protection of information collected from consumers are requires and public or private organizations that do not adequately protect private information should be liable. Personal information leaks should be punishable and should be disclosed. In particular, all those potentially affected by the leak should be alerted to the fact and its possible consequences.<br />
<br />
Some places already have legislation on data leaks and this item may unnecessary.<br />
<br />
====Define that consumers should be informed of all possible uses of data provided to systems or sites====<br />
<br />
Not only organizations must protect the data collected from consumers, but consumers should know all the possible uses of the information being collected. It is therefore necessary that all public and private organizations have the obligation to disclose all possible uses for the data they collect, including future uses. Any change in data use policies must be informed in advance and explicitly accepted by the affected consumers.<br />
<br />
Some places already have legislation about this issue and this item may be unnecessary.<br />
<br />
====Establish software security awareness campaigns for consumers====<br />
<br />
In addition to actions that require software makers to act responsibly towards consumers, it is also important to teach users of computer systems about the risks of using these systems.<br />
<br />
Just as it is important to make awareness campaigns for traffic safety or disease control, it is important to educate Internet users about the risks that come from an increasingly connected world. Campaigns should address topics such as the risks of entering personal data in unknown sites or the care that each person should have with their personal computer to prevent it from becoming a weapon in the hands of cybercriminals.<br />
<br />
===For oversight agencies===<br />
<br />
Auditing bodies can and should demand from sectors that they oversee the adoption of appropriate practices for application security. These bodies should establish regulations that favor the use of security techniques in software development. Thus, the suggested actions are:<br />
<br />
====Define clear responsibilities about application security====<br />
<br />
Every organization should be responsible for the security of their systems and this should be clearly defined. Oversight bodies should, where possible, include the responsibility to maintain the security of information systems as part of their regulations. There must be provision for punishment in cases where there is adequate security systems.<br />
<br />
====Verify and audit to ensure that appropriate safety practices are adopted====<br />
<br />
Whenever possible, audits or checks must include items to assess whether the best practices of application security were properly adopted. We believe that audits are an opportunity to improve the practices adopted by organizations and oversight agencies should be prepared to require the maintenance of adequate levels of security in the auditee's systems.<br />
<br />
There are some models that can guide the practices of system security audit such as the [http://www.sse-cmm.org/ SSE-CMM] (Systems Security Engineering Capability Maturity Model), [http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project OWASP ASVS] (Application Security Verification Standard) or [http://www.opensamm.org/ SAMM] (Software Assurance Maturity Model).<br />
<br />
====Insert the security aspects of applications in regulations or recommendations====<br />
<br />
Many oversight agencies publish regulations or oversight recommendations for the sectors they regulate. It is important that these regulations or recommendations include application security aspects and clearly indicate the need to include security requirements in contracts with suppliers.<br />
<br />
====Facilitate the creation of an insurance market for security applications====<br />
<br />
As much as accountability for failing to maintain appropriate levels of security is important, it is also important to create an insurance market for application security.<br />
<br />
An insurance market allows the transfer of part of the security risks to an insurer, while it tends to increase insurance costs for entities that do not have a proper treatment of the security aspects of their systems. Along with accountability mechanisms, a properly functioning insurance market produces strong incentives for organizations to increase their security level.<br />
<br />
====Requiring the use of encrypted connections (SSL) for web applications====<br />
<br />
Many attacks exist today are only possible because some organizations do not use even the most basic security mechanisms available. One such mechanism is the SSL protocol, which allows the encryption of data transmitted between the browser and web servers safely, ensuring the confidentiality and authenticity of information.<br />
<br />
Thus, a simple and effective measure to improve safety web systems is to require that data must be transmitted securely over the Internet.<br />
<br />
===For research and teaching institutions===<br />
<br />
Training the workforce is essential to move any country forward in all areas closely linked to technology. To have an application security booming market, it is necessary to train an adequate number of experts in both the attack and defense aspects of this discipline. The training of an adequate workforce should happen by the inclusion of the security area in the contents of the universities and also by the training of researchers able to build new techniques and methodologies to advance this field. An interaction of educational and research institutions with industry for technology transfer and productization is much needed.<br />
<br />
The suggested actions for education and research institutions are:<br />
<br />
====Inclusion of application security best practices in course contents====<br />
<br />
It is essential that all Information technology professionals are aware of basic security practices and the inclusion of such information in university training is the best way to achieve this goal.<br />
<br />
Students in primary and secondary schools must also learn about the dangers of the virtual world. At these education levels, the focus should be on the risks involved in using systems or websites like social networks or e-commerce sites. The ethical aspects of Internet use should also be emphasized.<br />
<br />
====Creation of advanced courses in the field====<br />
<br />
Besides the basic practices that must be known to all professionals, it is necessary to train specialists in software security for the country to develop a thriving security industry and to generate wealth.<br />
<br />
====To promote and fund application security research====<br />
<br />
Generating knowledge is also essential for a country to take the world leadership in application security. And the only way to increase the generation of new knowledge is to promote and fund research in the area, whether undertaken by public or private institutions.<br />
<br />
The promotion of knowledge and technology development in business is critical to a country's ability to create of a market of application security products and its ability to create advanced and innovative technologies.<br />
<br />
====To promote the training of professionals capable of acting with ethics and responsibility====<br />
<br />
The whole process of training undergraduates and researchers should prioritize the responsibility and ethical aspects of security. The ethics training must be an essential part of training these professionals.<br />
<br />
===For all public bodies===<br />
<br />
Any public agency may help to improve the current state of affairs by either doing awareness and training or by using its purchasing power to favor companies that treat adequately the security aspects of applications.<br />
<br />
The suggested actions for all public organizations are:<br />
<br />
====Financing validations and security fixes for open source systems====<br />
<br />
Many government agencies use open source systems as part of their information technology infrastructures. It is therefore essential to these organizations that these open source systems are secure and reliable. Public agencies should invest in making security assessments of the open source systems they adopt, in developing fixes for the security flaws found in these systems and in responsible disclosure of flaws as well as fixes.<br />
<br />
Thus, public agencies can better serve society due to the improved security of their own systems and third party systems.<br />
<br />
====Promote the use of application security technologies and methodologies====<br />
<br />
Each public agency should require and promote the use of technologies and methodologies for developing secure applications, both internally and by its suppliers.<br />
<br />
It should be the responsibility of each agency ensure that their systems have adequate security and that appropriate techniques are used in developing their computer systems.<br />
<br />
====Promote and enable security testing responsibly but openly====<br />
<br />
Security tests are a major tool for finding security holes in computer systems. Each public agency should establish a program that allows security researchers to conduct tests on their systems in order to locate faults and should repair the vulnerabilities as soon as possible.<br />
<br />
We emphasize that the tests should be done in an ethical and responsible way and should be seen as a form of collaboration to improve government systems. We believe that cybercriminals are already conducting their own undercover testing on these systems, unlike legitimate researchers with good intentions. So, criminals have an advantage when it comes to these systems security. The best way to balance this dispute is to facilitate the work of researchers and security professionals to find faults and report them appropriately instead of having these faults be used as a currency in digital underworlds.<br />
<br />
====Promote awareness and training of managers about the challenges of web security====<br />
<br />
All public bodies should be concerned about the security of their systems and this concern should be part of the direction given by senior management of each government organization. It is therefore important that managers of all agencies participate in training and awareness sessions in this regard. <br />
<br />
==Competitive advantages for the country==<br />
<br />
The technology field is an economic activity with high added value and the ability to generate wealth for the country. With the support and leadership from the government, the country has the potential to become a world leader in application security, and may also generate revenue by exporting products and services with high added value and by creating new businesses.<br />
<br />
Because it is a labor-intensive activity, there is also the possibility of creating jobs in the country for highly trained professionals. The existence of trained professionals in security also supports national sovereignty, since such knowledge is crucial in case of cyber-conflicts or electronic warfare.<br />
<br />
The development of a field closely linked to information technology also has the potential to foster the development of related areas, increasing the country's technological capability. <br />
<br />
The improvement of the online business environment tends to improve the country's international image, so that it begins to be considered a safe haven for business, both online and off. A favorable business environment may attract international investments, especially investments in businesses directly related to the Internet or enterprise software development.<br />
<br />
==How can OWASP help?==<br />
<br />
OWASP is an international community and brings together leading experts on the subject worldwide, including civil servants. All materials and systems developed by OWASP are freely available to the government to use as it deems most appropriate. The OWASP community can also help in developing materials or tools to meet the specific needs of government agencies.<br />
<br />
The materials and guidelines developed by OWASP can be translated into any language in order to serve as a subsidy in developing legislation or regulations. OWASP has good practice guides and standards that can be used as input to the development of governmental documents in line with the best international practices.<br />
<br />
The experts that participate in OWASP are willing to contribute to make the country to move in the right direction and may serve as an advisory body or liaison with foreign experts if necessary. OWASP is a non-profit and all specialists involved are volunteers.</div>Sapaohttps://www.owasp.org/index.php/OWASP_Brasil_Manifesto/brOWASP Brasil Manifesto/br2011-06-18T17:34:03Z<p>Sapao: /* Segurança na Web: Uma janela de oportunidades */</p>
<hr />
<div>=The Brazilian Portuguese version of the manifesto in wiki format=<br />
<br />
Here, we will link to a page for each of the sections of the manifesto. This version is in Portuguese.<br />
<br />
== Segurança na Web: Uma janela de oportunidades ==<br />
<br />
'''Uma mensagem do OWASP Brasil ao Governo Brasileiro'''<br />
<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Sum%C3%A1rio_Executivo Sumário Executivo]<br />
* [https://www.owasp.org/index.php?title=OWASP_Brasil_Manifesto/br/A_inseguran%E7a_na_Web A Insegurança na Web]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_Projeto_OWASP O Projeto OWASP]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#O_que_pode_ser_feito.3F O que pode ser feito?]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_legisladores Por legisladores]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Permitir_e_incentivar_pesquisas_sobre_ataques_e_defesas_cibern.C3.A9ticas Permitir e incentivar pesquisas sobre ataques e defesas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_a_publica.C3.A7.C3.A3o_de_avalia.C3.A7.C3.B5es_de_seguran.C3.A7a Requerer a publicação de avaliações de segurança]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Criar_uma_ag.C3.AAncia_para_tratar_os_aspectos_de_divulga.C3.A7.C3.A3o_de_falhas_de_seguran.C3.A7a Criar uma agência para tratar os aspectos de divulgação de flahas de segurança]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_o_cumprimento_de_requisitos_m.C3.ADnimos_de_seguran.C3.A7a_em_contratos_governamentais Exigir o cumprimento de requisitos mínimos de segurança em contratos governamentais]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Responsabilizar_organiza.C3.A7.C3.B5es_que_n.C3.A3o_tratem_com_dilig.C3.AAncia_os_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Responsabilizar organizações que não tratem com diligência os aspectos de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_a_administra.C3.A7.C3.A3o_p.C3.BAblica_tenha_acesso_.C3.A0s_atualiza.C3.A7.C3.B5es_de_seguran.C3.A7a_de_qualquer_software_durante_a_sua_vida_.C3.BAtil Exigir que a administração pública tenha acesso às atualizações de segurança de qualquer software durante a sua vida útil]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_a_abertura_do_c.C3.B3digo_fonte_de_aplicativos_utilizados_pela_administra.C3.A7.C3.A3o_p.C3.BAblica_cuja_vida_.C3.BAtil_tenha_terminado Exigir a abertura do código fonte de aplicativos utilizados pela administração pública cuja vida útil tenha terminado]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Eliminar_licen.C3.A7as_de_software_que_isentam_os_fabricantes_da_responsabilidade_com_a_seguran.C3.A7a_de_seus_produtos Eliminar licenças de software que isentam os fabricantes da resposnabilidade com a segurança de seus produtos]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_defesa_do_consumidor Por órgãos de defesa do consumidor]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Atuar_para_restringir_o_uso_de_licen.C3.A7as_de_software_abusivas Atuar para restringir o uso de licenças de software abusivas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_que_os_fabricantes_divulguem_informa.C3.A7.C3.B5es_intelig.C3.ADveis_sobre_o_n.C3.ADvel_de_seguran.C3.A7a_de_seus_produtos_e.2Fou_servi.C3.A7os Exigir que os fabricantes divulguem informações inteligíveis sobre o nível de segurança de seus produtos ou serviços]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Exigir_um_n.C3.ADvel_adequado_de_seguran.C3.A7a_de_sistemas_que_lidem_com_dados_que_possam_afetar_a_privacidade_dos_consumidores_ou_cidad.C3.A3os Exigir um nível adequado de segurança de sistemas que lidem com dados que possam afetar a privacidade dos consumidores ou cidadãos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_que_os_consumidores_devem_ser_informados_dos_poss.C3.ADveis_usos_dos_dados_inseridos_em_sistemas_ou_sites Definir que os consumidores devem ser informados dos possíveis usos dos dados inseridos em sistemas ou sites]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Estabelecer_campanhas_de_conscientiza.C3.A7.C3.A3o_de_seguran.C3.A7a_para_os_consumidores Estabelecer campanhas de conscientização de segurança para os consumidores]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_controle Por órgãos de controle]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Definir_claramente_as_responsabilidades_com_rela.C3.A7.C3.A3o_aos_aspectos_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Definir claramente as responsabilidades com relação aos aspectos de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Verificar_e_auditar_para_garantir_que_pr.C3.A1ticas_adequadas_de_seguran.C3.A7a_s.C3.A3o_adotadas Verificar e auditar para garantir que práticas adequadas de segurança são adotadas]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Facilitar_a_cria.C3.A7.C3.A3o_de_um_mercado_de_seguros_para_a_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Facilitar a criação de um mercado de seguros para a segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Requerer_o_uso_de_conex.C3.B5es_criptografadas_.28SSL.29_para_aplica.C3.A7.C3.B5es_web Requerer o uso de conexões criptografadas (SSL) para aplicações web]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_.C3.B3rg.C3.A3os_de_ensino_e_pesquisa Por órgãos de ensino e pesquisa]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Inclus.C3.A3o_das_boas_pr.C3.A1ticas_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es_no_conte.C3.BAdo_dos_cursos Inclusão de práticas de segurança de aplicações no conteúdo dos cursos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Defini.C3.A7.C3.A3o_de_cursos_avan.C3.A7ados_para_forma.C3.A7.C3.A3o_de_m.C3.A3o-de-obra_na_.C3.A1rea Definição de cursos avançados para formação de mão-de-obra na área]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Fomentar_e_financiar_pesquisas_sobre_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Fomentar e financiar pesquisas sobre segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_a_forma.C3.A7.C3.A3o_de_profissionais_capazes_de_atuar_com_.C3.A9tica_e_responsabilidade Promover a formação de profissionais capazes de atuar com ética e responsabilidade]<br />
** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Por_todos_os_.C3.B3rg.C3.A3os_p.C3.BAblicos Por todos os órgãos públicos]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Financiar_valida.C3.A7.C3.B5es_e_corre.C3.A7.C3.B5es_de_seguran.C3.A7a_para_sistemas_de_c.C3.B3digo_aberto Financiar validações e correções de segurança para sistemas de código aberto]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_o_uso_de_tecnologias_e_metodologias_de_seguran.C3.A7a_de_aplica.C3.A7.C3.B5es Promover o uso de tecnologias e metodologias de segurança de aplicações]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_e_permitir_testes_de_seguran.C3.A7a_de_forma_respons.C3.A1vel_mas_aberta Promover e permitir testes de segurança de forma responsável mas aberta]<br />
*** [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/O_que_pode_ser_feito#Promover_treinamento_e_conscientiza.C3.A7.C3.A3o_dos_gestores_para_os_desafios_da_seguran.C3.A7a_na_web Promover treinamento e conscientização dos gestores para os desafios da segurança na web]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Vantagens_competitivas_para_o_Brasil Vantagens competitivas para o Brasil]<br />
* [https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/br/Como_o_OWASP_pode_ajudar Como o OWASP pode ajudar?]<br />
* [https://www.owasp.org/index.php/Category:Brasil Contatos]</div>Sapao